-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The DataTransfer API should be safer #1244
Comments
My current thinking is that we should add another drag data store mode called for example safe read/write or filtered read/write. This is the default mode for JS without special permissions and privileges, and it works like this:
|
Thanks for raising this! I'm just digging into this part of the spec for the first time, so please let me know if I'm misunderstanding the current spec or your suggestion. First let me make sure I am understanding the exact concern, since there is a lot of surface area on the API. I think this is about using One question I had is what happens when I try to read back that data for your transformable types, via the Another minor question is what the motivation is for read/write mode + safe read/write mode. Shouldn't we just change read/write mode to always be safe?
Could you give a bit more detail here? If I understand, the overall desire here is to avoid giving apps the ability to arbitrarily set binary data + a type string on the system clipboard, because later, the user might paste it into an app that tries to decode it using native decoders, and trigger an exploit. That makes sense. So we have a safelist of always-safe types, and another list of can-be-made-safe types, and no other type strings can be set on the clipboard besides those. But then we still want to allow applications to put arbitrary data on the clipboard, even if the app doesn't get to specify the type? In that case I might go for censoring all provided types that fall outside the safe lists to |
@domenic good questions. Firstly: yes, your understanding of the concerns is pretty accurate. Some extra details are better explained privately (apologies). If possible, I think just-in-time transforms would be better (so when data is written to the clipboard/dropped). Applications (Chrome in production, Firefox about to ship) already do the "custom types in proprietary format" thing. It's used internally by the browser to handle copying between tabs where scripts write/read custom types (a high profile example is Google Docs). Admittedly, this is somewhat self-contradicting. Firstly, we want to hamper web->native data transfer for security reasons and won't allow scripts to write application/x-vendor-fancy-data for the native fancy-data app to pick up. On second thought, we'll allow that anyway but put it in a custom field so the native fancy-data app if it really wants to can read the application/x-web-browser-custom-data, parse it and extract the application/x-vendor-fancy-data stuff anyway. My thinking is that interoperability is important and we wanted to enable for example copying from G Docs in Chrome to G Docs in Firefox and vice versa - but I admit this is a corner case.. |
OK, great. So if I do If that's the case, this should be a fairly straightforward spec change, as it's about adding advice for implementations that they should not allow user-provided data to make its way onto the clipboard or into other applications directly, and should consider transcoding it or at least censoring its type string. But it won't change the normative processing model of how to store types, and won't require a new drag store mode. How does that sound to you?
I'm not quite sure I understand this part. Is this saying that when we add the above advice, we should advise that the type string that other applications see is |
@domenic my remaining question is if we're going to want an "unfiltered" mode. I.e. should we cater for the possibility that browser vendors might implement a "wash my hands" permission and let users say "this app/site is really, really trusted, let it write custom data formats for native apps like Photoshop/*Office/whatever without further ado"? We have had (and will continue to have) demand from authors for such full access... It's hard to imagine a useful UI though. If we want to leave the door open to permit "full access", I think "modes" is the best way to do it. Regarding the custom types: obviously, if we want to enable interoperability between the same web apps running in different browser engines, we need to spec a shared clipboard format for custom data. This implies that other native software will also see a "Web browser custom data" clipboard entry (by any description after some bikeshedding) and potentially grow features that start making use of said "Web browser custom data" on paste/drop. If this is considered an extremely rare use case we should not cater for, and custom data on the real OS clipboard is considered too risky, we can of course spec that the browsers should keep custom data somewhere internally and augment the DataTransfer object with the internally stored custom data as if it were on the clipboard on the next paste (unless the OS clipboard's contents changed meanwhile). This seems harder to test and harder to get right, but it is a judgement call. |
@hallvors would you mind answering my questions from above? They were:
and also
Regarding unfiltered mode:
I think we should consider adding that if 2+ browsers actually have plans to ship it. Otherwise, there's no need to complicate the spec for a hypothetical feature.
This does sound like an interesting project. Is there multi-vendor interest in creating such a spec and implementing it? |
Using the DataTransfer API you can make data travel across security boundaries - web to local application. This can enable malicious payloads - for example malformed data intended to exploit bugs in data processing of local applications that are targets of Drag-and-drop or copy/paste operations.
For better or worse, we have to consider these issues. Implementations are already adding security precautions that are not covered by the current spec, such as
The algorithms in the spec need to add such measures for security reasons.
The text was updated successfully, but these errors were encountered: