-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pickling for Async Clipboard API #636
Comments
Hi there, @torgo, @LeaVerou and I looked at this today. One concern - say a web site creates a custom format - then other web sites start to adopt this - then it becomes widespread without sanitization. Is this being restricted to a domain name? People reverse-engineer formats, and this could lead to a lot of unsanitized content in clipboards. Example, I am Figma and I allow people to paste say JavaScript because it's in my format. Now someone creates an app that can read and write this format and provide some features not in Figma. This could lead users to use both apps and copy/paste between them. But maybe the second app adds malicious JS (or just triggers an untested code path in Figma) which will be executed in figma if people paste it in there. There doesn't even seem to be a way for sites to see where the pasted content originates (like origin) so do their own sanitation. |
Additional comments: On naming - we've reviewed what you've written in the explainer, but we still feel there could be a lot of confusion about this API especially with non-english speakers. Not sure if there is anything that can be done here. On privacy - good to see an additional user activation requirement. However, I was under the impression that there is a requirement for user activation on any clipboard read. Is this not the case? |
We don't want to restrict to a domain because we want native apps to be able to consume contents from sites that opted-in to be using pickling formats, and vice versa.
Pickling formats is not exposed as an API name anywhere. Are you referring to the usage in the explainer and the spec? We could also refer to it as
In Chromium, we do have user activation requirement for Adding @dway123 @whsieh @gked @BoCupp-Microsoft to comment more on this. |
Is this still under discussion somewhere? I don't understand how this can be reconciled with the need to keep users' clipboard contents private when they visit a web page (which is related to one of our key design principles : https://www.w3.org/TR/design-principles/#safe-to-browse that it must be safe to visit a web page). |
There was a discussion on github which can be found here. We are reaching out to web applications so they can weigh-in on this bit as well. CCing @garykac as FYI |
I am from Office team. Custom formats in Clipboard will benefit our users since it will drastically improve native to web apps copy paste fidelity. We are good with doing sanitization of custom formats at our end. |
I'm not sure I'm convinced that putting something behind a permission by itself is sufficient for something this powerful and potential privacy infringing, especially considering how we have seen egregious gaming of privacy prompts by bad actors (see here: #337 (comment)). However, adding a user activation requirement and being the active document in focus (as you've described) may provide additional mitigation. I put this on the agenda for this week's TAG calls to discuss further. Are the risks and mitigations documented in the appropriate security & privacy considerations section? If so, can you point me that way? |
Thank you, looking forward to getting the feedback on this proposal. To your last question, I believe, @snianu has documented privacy and security risks before. Hey @snianu, could you please point @torgo to it? |
Here is the link to the security/privacy section in the explainer: https://github.com/dway123/clipboard-pickling/blob/main/explainer.md#privacy-and-security |
@gked : Replaying our discussion in today's TAG plenary call where we discussed this issue. The TAG consensus is that the mitigation described - permission, sticky activation, active document - is not sufficient. This is because it still could lead to unintentional leakage of the information held in the user's clipboard. We don't believe that the user activation as specified contains a notion of a restricted form of activation that carries some kind of intent (a specific intent to paste content). And if this feature should be added to the web, then that kind of activation feature (with intention) should also be added. One scenario is: you're phished to a page that looks like your bank's web site. that page induces you to agree to the permission through a dark pattern (and also induces some additional interaction in the same way), and then (without an explicit paste command) the web page in question has access to the contents of your clipboard. Another scenario: you're on a legitimate site and you explicitly paste something into a page which has permission to access your clipboard. Now you go off and copy something else (say a password) into your clipboard which is unrelated to your interaction with this site. And bring the browser window back up. Assuming this site is the active tab, this site would have access to your sensitive information on the clipboard. We understand the performance issue that's been articulated. Is there another way to address this issue that can afford the user the protection we think they need here. |
Thanks, @torgo for sharing TAG consensus! Correct me if I am wrong but its sounds like security scenarios presented are applicable to not just pickling but any format used by async clipboard api. Pickling format in itself doesn't create any additional vectors of attack in this case. We are reaching out to security reviewers that have reviewed async clipboard api before it was shipped, to better understand rational behind the current API design. P.S. We took your feedback about "sticky" activation and moved to requiring "transient" activation for reading and writing to the clipboard. |
Just a small update. We addressed few security concerns raised by internal security reviews as described below:
The explainer has been updated and moved to editing working group repo: https://github.com/w3c/editing/blob/gh-pages/docs/clipboard-pickling/explainer.md#pickling-for-async-clipboard-api |
@gked sorry for the delayed response but yes that's correct. the scenarios described are applicable to any format used by async clipboard. We did review async clipboard and we did raise this issue however it was our understanding that the feedback had been listened to. And indeed it looks to me from here w3c/clipboard-apis#52 that this issue is still open. Will pick up on that issue. |
@torgo Just checking if TAG got a chance to discuss this API. We made some changes in the format naming and how the custom formats are read/written via async read/write methods and would love to get some feedback on this. |
Apologies for the long delay! We discussed this at length during our VF2F, and while we think this would be a great addition to the platform, it's also a scary+open ended feature. The design itself I think makes a lot of sense and we are happy with it, but we'd like to see this being tried out in the wild (say, with some early adopters) and getting their feedback would be useful to know if there are details/features that we potentially missed in the initial design. Do you think it would make sense to give it a trial run in the wild, and re-open after seeing what kind of feedback comes back? (presumably, also with updates to the design) @snianu |
Thank you @cynthia for the feedback! Yes, we do have partners who are very much interested in using this API as it would unlock some of the powerful editing features in their sites(and interop with native apps) and also provide high fidelity copy-paste content in general. |
Done, please request a re-open when you have more data! |
Ya ya yawm TAG!
I'm requesting a TAG review of Pickling for Async Clipboard API.
Powerful web applications would like to exchange data payloads with web and native applications via the OS clipboard (copy-paste).
The existing Web Platform has an API that supports the most popular standardized data types (text, image, rich text) across all platforms.
However, this API does not scale to the long tail of specialized formats. In particular, custom formats, non-web-standard formats like
TIFF (a large image format), and proprietary formats like .docx (a document format), are not supported by the current Web Platform.
Pickling for Async Clipboard API aims to provide a solution to this problem, by letting web applications read and write custom, unsanitized, web-originated payloads using a standardized pickling format.
Further details:
You should also know that...
There have been discussions on Pickling Clipboard API during TPAC and also while discussing Raw Clipboard API.
Slides: https://docs.google.com/presentation/d/1_fAgL54D0whQ497G8iL0K2kKpxiWDr3M7gXXSIS76II
Editing TF Minutes: https://lists.w3.org/Archives/Public/public-editing-tf/2020Oct/0017.html
We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify @snianu @dway123 @BoCupp-Microsoft
The text was updated successfully, but these errors were encountered: