From 92df9661820342e91ffbe3895f0a4a52e3c7bc26 Mon Sep 17 00:00:00 2001 From: Anupam Snigdha Date: Wed, 1 Dec 2021 16:57:29 -0800 Subject: [PATCH 1/2] Clarify PII concerns in the explainer. --- docs/clipboard-pickling/explainer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/clipboard-pickling/explainer.md b/docs/clipboard-pickling/explainer.md index a63bc1c..77d8741 100644 --- a/docs/clipboard-pickling/explainer.md +++ b/docs/clipboard-pickling/explainer.md @@ -189,9 +189,9 @@ For #1 we need to update all browsers and convince web developers to migrate to For #2 we need to update all browsers and native apps to consume this new custom format. This has backward compatibility concern, but since this is an explicit opt-in and doesn't affect reading/writing of the standard formats such as HTML, plain-text etc if these formats are written along with custom formats, we don't expect any copy-paste regressions for the existing formats. ## Privacy and Security -This feature introduces custom clipboard formats with unsanitized content that will be exposed to both native apps and websites. Through the custom clipboard formats, PII may be transferable from web to native apps or vice versa. Currently copy-paste operation (e.g. plain text payloads) does expose highly sensitive PII such as SSN, DOB, passwords etc. and this feature doesn't expose anything new. These custom formats may be less visible to the user compared to the plain-text format so it might still be possible to transfer PII data without the knowledge of the user. +This feature introduces custom clipboard formats with unsanitized content that will be exposed to both native apps and websites. Through the custom clipboard formats, PII may be transferable from web to native apps or vice versa. The content in the custom format is less visible/obvious to the users compared to the plain-text format so it might still be possible to transfer PII data without the knowledge of the user. This is also true for the existing [DataTransfer APIs](https://html.spec.whatwg.org/multipage/dnd.html#the-datatransfer-interface) that expose unsanitized HTML content in the standard HTML format(via setData/getData methods), but there may be metadata present in the custom format that wouldn't be typically included in the HTML format. The parsing rules for the custom format content and what data is included in the format, have to be defined by the native and web apps that read/write this format, so that alleviates some privacy concerns regarding who can read the sensitive data (if present) in the custom formats. -Websites or native apps need to explicitly opt-in to consume these formats which will mitigate the concerns about remote code execution in legacy apps. Popular standardized data types (HTML, text, image etc) are available across all platforms and some types have sanitizers (HTML format) to strip out `