[Webkit-unassigned] [Bug 124391] text/rtf clipboard data is empty (makes TinyMCE and textbox.io require Flash)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 26 20:41:07 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=124391

--- Comment #15 from Chris Dumez <cdumez at apple.com> ---
(In reply to comment #14)
> (In reply to comment #11)
> > (In reply to comment #10)
> > > The issue here is that:
> > > 1. It can leak private data embedded in RTF from third party applications
> > > 2. IT can leak cross-origin content if the user had copied a range of
> > > content across an cross-origin iframe.
> > > 
> > > We need to solve both of these problems in order to enable this feature.
> > > 
> > > For 1, we probably need to paste RTF content into a document ourself, and
> > > then re-generate RTF out of the said document. For 2, we probably need to
> > > stop copying contents across an cross-origin iframe.
> > 
> > I am not sure I understand 1. I think it would be that third party app's
> > responsibility to to put in the clipboard private data.
> 
> No, we can't do that. Third party applications aren't expecting their RTF to
> be exposed to a random Web page.
> 
> This is why, for example, we don't expose raw HTML, which contain sensitive
> information such as local file path, real user name, etc... included in
> link/meta elements that aren't even visible in the page.

Ok. I am still working on 2.

Regarding 1., your proposal was to paste RTF content into a document ourself. I am not sure what you mean by that. Can you point me in the right direction?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170127/cd2bd4c9/attachment.html>


More information about the webkit-unassigned mailing list