[Webkit-unassigned] [Bug 124391] text/rtf clipboard data is empty (makes TinyMCE and textbox.io require Flash)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 26 20:41:07 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=124391
--- Comment #15 from Chris Dumez <cdumez at apple.com> ---
(In reply to comment #14)
> (In reply to comment #11)
> > (In reply to comment #10)
> > > The issue here is that:
> > > 1. It can leak private data embedded in RTF from third party applications
> > > 2. IT can leak cross-origin content if the user had copied a range of
> > > content across an cross-origin iframe.
> > >
> > > We need to solve both of these problems in order to enable this feature.
> > >
> > > For 1, we probably need to paste RTF content into a document ourself, and
> > > then re-generate RTF out of the said document. For 2, we probably need to
> > > stop copying contents across an cross-origin iframe.
> >
> > I am not sure I understand 1. I think it would be that third party app's
> > responsibility to to put in the clipboard private data.
>
> No, we can't do that. Third party applications aren't expecting their RTF to
> be exposed to a random Web page.
>
> This is why, for example, we don't expose raw HTML, which contain sensitive
> information such as local file path, real user name, etc... included in
> link/meta elements that aren't even visible in the page.
Ok. I am still working on 2.
Regarding 1., your proposal was to paste RTF content into a document ourself. I am not sure what you mean by that. Can you point me in the right direction?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170127/cd2bd4c9/attachment.html>
More information about the webkit-unassigned
mailing list