Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
On Thu, Feb 29, 2024 at 2:17 AM Anupam Snigdha wrote: > Thank you for all the LGTMs! > > How hard would it be to specify the sanitization steps we implemented for > both HTML and SVG on top of the Sanitizer API? > > I think once we have support > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884190205> > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884190205>for > clipboard sanitization in the Sanitizer API, it should be fairly easy to > specify that in the clipboard spec. Webkit is totally opposed > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-917273986> to > it, but Firefox position is neutral to positive > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884126368>, > so we need support from Firefox to add this to the official clipboard API > spec. > You don't need consensus in order to specify something, you need it in order to *standardize* it. What that means in practice is that you could create a specification that monkey patches the clipboard and defines the sanitization steps Chromium has implemented. Then once we have support, we'd be able to move this specification from directly into the Clipboard API spec. > > -Anupam > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Wednesday, February 28, 2024 11:08 AM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > LGTM3 > > It's really not great that the sanitization steps are not specified, but > given that this is simply extending where the HTML > sanitization steps apply, I guess this doesn't significantly increase our > tech debt on that front. > > How hard would it be to specify the sanitization steps we implemented for > both HTML and SVG on top of the Sanitizer API? > > On Tue, Feb 27, 2024 at 11:07 PM Anupam Snigdha > wrote: > > The exact steps of the sanitization process isn't specified anywhere since > it's very fluid and also subject to change based on the outcome of the > Sanitizer API proposal. Since the HTML format already uses this sanitizer, > we decided to use it for SVG format as well. This was also proposed by the > security team: > https://docs.google.com/document/d/1jq8QSCQRdNy99rnPusmW8is62c22PVuq-Sk-tMT2tRk/edit?disco=GzUW4fQ > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:53 PM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > > On Tue, Feb 27, 2024 at 10:40 PM Anupam Snigdha > wrote: > > We're using the same sanitizer that HTML format uses to produce a fragment > with styles inlined. This is also the same sanitization process used in > paste operation(ctrl+V). > > > OK, so that's the one specified in > https://github.com/w3c/clipboard-apis/issues/150? > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:30 PM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) &
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
Thank you for all the LGTMs! How hard would it be to specify the sanitization steps we implemented for both HTML and SVG on top of the Sanitizer API? I think once we have support<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884190205> <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884190205> for clipboard sanitization in the Sanitizer API, it should be fairly easy to specify that in the clipboard spec. Webkit is totally opposed<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-917273986> to it, but Firefox position is neutral to positive<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-884126368>, so we need support from Firefox to add this to the official clipboard API spec. -Anupam From: Yoav Weiss (@Shopify) Sent: Wednesday, February 28, 2024 11:08 AM To: Anupam Snigdha Cc: Daniel Bratell ; Chris Harrelson ; Thomas Steiner ; Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg LGTM3 It's really not great that the sanitization steps are not specified, but given that this is simply extending where the HTML sanitization steps apply, I guess this doesn't significantly increase our tech debt on that front. How hard would it be to specify the sanitization steps we implemented for both HTML and SVG on top of the Sanitizer API? On Tue, Feb 27, 2024 at 11:07 PM Anupam Snigdha mailto:sni...@microsoft.com>> wrote: The exact steps of the sanitization process isn't specified anywhere since it's very fluid and also subject to change based on the outcome of the Sanitizer API proposal. Since the HTML format already uses this sanitizer, we decided to use it for SVG format as well. This was also proposed by the security team: https://docs.google.com/document/d/1jq8QSCQRdNy99rnPusmW8is62c22PVuq-Sk-tMT2tRk/edit?disco=GzUW4fQ From: Yoav Weiss (@Shopify) mailto:yoavwe...@chromium.org>> Sent: Tuesday, February 27, 2024 1:53 PM To: Anupam Snigdha mailto:sni...@microsoft.com>> Cc: Daniel Bratell mailto:bratel...@gmail.com>>; Chris Harrelson mailto:chris...@chromium.org>>; Thomas Steiner mailto:to...@google.com>>; Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org> mailto:christin...@chromium.org>>; etiennen...@chromium.org<mailto:etiennen...@chromium.org> mailto:etiennen...@chromium.org>>; Sanket Joshi (EDGE) mailto:sa...@microsoft.com>> Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Tue, Feb 27, 2024 at 10:40 PM Anupam Snigdha mailto:sni...@microsoft.com>> wrote: We're using the same sanitizer that HTML format uses to produce a fragment with styles inlined. This is also the same sanitization process used in paste operation(ctrl+V). OK, so that's the one specified in https://github.com/w3c/clipboard-apis/issues/150? From: Yoav Weiss (@Shopify) mailto:yoavwe...@chromium.org>> Sent: Tuesday, February 27, 2024 1:30 PM To: Anupam Snigdha mailto:sni...@microsoft.com>> Cc: Daniel Bratell mailto:bratel...@gmail.com>>; Chris Harrelson mailto:chris...@chromium.org>>; Thomas Steiner mailto:to...@google.com>>; Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
LGTM3 It's really not great that the sanitization steps are not specified, but given that this is simply extending where the HTML sanitization steps apply, I guess this doesn't significantly increase our tech debt on that front. How hard would it be to specify the sanitization steps we implemented for both HTML and SVG on top of the Sanitizer API? On Tue, Feb 27, 2024 at 11:07 PM Anupam Snigdha wrote: > The exact steps of the sanitization process isn't specified anywhere since > it's very fluid and also subject to change based on the outcome of the > Sanitizer API proposal. Since the HTML format already uses this sanitizer, > we decided to use it for SVG format as well. This was also proposed by the > security team: > https://docs.google.com/document/d/1jq8QSCQRdNy99rnPusmW8is62c22PVuq-Sk-tMT2tRk/edit?disco=GzUW4fQ > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:53 PM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > > On Tue, Feb 27, 2024 at 10:40 PM Anupam Snigdha > wrote: > > We're using the same sanitizer that HTML format uses to produce a fragment > with styles inlined. This is also the same sanitization process used in > paste operation(ctrl+V). > > > OK, so that's the one specified in > https://github.com/w3c/clipboard-apis/issues/150? > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:30 PM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > > On Tue, Feb 27, 2024 at 10:18 PM Anupam Snigdha > wrote: > > I noticed that the tests here are marked as "tentative". Is the > sanitizer part of this specified? > > Since there is no consensus on the clipboard sanitization, the tests are > marked as tentative for now. We had discussions > <https://github.com/w3c/clipboard-apis/issues/150> > <https://github.com/w3c/clipboard-apis/issues/150>in the past to > standardize the sanitization process (in the context of HTML), but were not > able to get consensus > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> > > > Oh my.. > > While consensus does seem elusive in this case, do you think it'd be > possible to specify what we're shipping here, even if we can't standardize > it right away? > > from other browser vendors. > > > With the new Sanitizer API > <https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can > standardize the sanitization process and make it consistent for all formats > in the clipboard. > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:06 PM > *To:* Daniel Bratell > *Cc:* Chris Harrelson ; Anupam Snigdha < > sni...@microsoft.com>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell > wrote: > > LGTM > > Not sure if it's LGTM2 or LGTM4 since that d
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
The exact steps of the sanitization process isn't specified anywhere since it's very fluid and also subject to change based on the outcome of the Sanitizer API proposal. Since the HTML format already uses this sanitizer, we decided to use it for SVG format as well. This was also proposed by the security team: https://docs.google.com/document/d/1jq8QSCQRdNy99rnPusmW8is62c22PVuq-Sk-tMT2tRk/edit?disco=GzUW4fQ From: Yoav Weiss (@Shopify) Sent: Tuesday, February 27, 2024 1:53 PM To: Anupam Snigdha Cc: Daniel Bratell ; Chris Harrelson ; Thomas Steiner ; Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Tue, Feb 27, 2024 at 10:40 PM Anupam Snigdha mailto:sni...@microsoft.com>> wrote: We're using the same sanitizer that HTML format uses to produce a fragment with styles inlined. This is also the same sanitization process used in paste operation(ctrl+V). OK, so that's the one specified in https://github.com/w3c/clipboard-apis/issues/150? From: Yoav Weiss (@Shopify) mailto:yoavwe...@chromium.org>> Sent: Tuesday, February 27, 2024 1:30 PM To: Anupam Snigdha mailto:sni...@microsoft.com>> Cc: Daniel Bratell mailto:bratel...@gmail.com>>; Chris Harrelson mailto:chris...@chromium.org>>; Thomas Steiner mailto:to...@google.com>>; Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org> mailto:christin...@chromium.org>>; etiennen...@chromium.org<mailto:etiennen...@chromium.org> mailto:etiennen...@chromium.org>>; Sanket Joshi (EDGE) mailto:sa...@microsoft.com>> Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Tue, Feb 27, 2024 at 10:18 PM Anupam Snigdha mailto:sni...@microsoft.com>> wrote: I noticed that the tests here are marked as "tentative". Is the sanitizer part of this specified? Since there is no consensus on the clipboard sanitization, the tests are marked as tentative for now. We had discussions<https://github.com/w3c/clipboard-apis/issues/150> <https://github.com/w3c/clipboard-apis/issues/150> in the past to standardize the sanitization process (in the context of HTML), but were not able to get consensus<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> Oh my.. While consensus does seem elusive in this case, do you think it'd be possible to specify what we're shipping here, even if we can't standardize it right away? from other browser vendors. With the new Sanitizer API<https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can standardize the sanitization process and make it consistent for all formats in the clipboard. From: Yoav Weiss (@Shopify) mailto:yoavwe...@chromium.org>> Sent: Tuesday, February 27, 2024 1:06 PM To: Daniel Bratell mailto:bratel...@gmail.com>> Cc: Chris Harrelson mailto:chris...@chromium.org>>; Anupam Snigdha mailto:sni...@microsoft.com>>; Thomas Steiner mailto:to...@google.com>>; Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org>
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
On Tue, Feb 27, 2024 at 10:40 PM Anupam Snigdha wrote: > We're using the same sanitizer that HTML format uses to produce a fragment > with styles inlined. This is also the same sanitization process used in > paste operation(ctrl+V). > OK, so that's the one specified in https://github.com/w3c/clipboard-apis/issues/150? -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:30 PM > *To:* Anupam Snigdha > *Cc:* Daniel Bratell ; Chris Harrelson < > chris...@chromium.org>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > > On Tue, Feb 27, 2024 at 10:18 PM Anupam Snigdha > wrote: > > I noticed that the tests here are marked as "tentative". Is the > sanitizer part of this specified? > > Since there is no consensus on the clipboard sanitization, the tests are > marked as tentative for now. We had discussions > <https://github.com/w3c/clipboard-apis/issues/150> > <https://github.com/w3c/clipboard-apis/issues/150>in the past to > standardize the sanitization process (in the context of HTML), but were not > able to get consensus > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> > > > Oh my.. > > While consensus does seem elusive in this case, do you think it'd be > possible to specify what we're shipping here, even if we can't standardize > it right away? > > from other browser vendors. > > > With the new Sanitizer API > <https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can > standardize the sanitization process and make it consistent for all formats > in the clipboard. > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:06 PM > *To:* Daniel Bratell > *Cc:* Chris Harrelson ; Anupam Snigdha < > sni...@microsoft.com>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell > wrote: > > LGTM > > Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS > still apply, but this still seems ready to ship. > > /Daniel > On 2024-02-23 19:14, Chris Harrelson wrote: > > My LGTM still stands, and have recorded it in the tool. > > On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev < > blink-dev@chromium.org> wrote: > > Gentle ping.. Received signoffs for all review gates for this feature. > -- > *From:* Anupam Snigdha > *Sent:* Monday, February 12, 2024 10:37 AM > *To:* Thomas Steiner ; Chris Harrelson < > chris...@chromium.org> > *Cc:* Evan Stade ; Anupam Snigdha < > snianu.micros...@gmail.com>; 一丝 ; blink-dev < > blink-dev@chromium.org>; sligh...@chromium.org ; > svo...@gmail.com ; pwn...@chromium.org < > pwn...@chromium.org>; Marijn Kruisselbrink ; > yoav...@chromium.org ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > I've made some changes > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574>to > address the loss of styles and other formatting issues during write. During > read, if the authors have added `image/svg+xml` to the `unsanitized` list, > then the SVG image content is returned without any strict processing by the > browser. By-default, read processes the `image/svg+x
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
We're using the same sanitizer that HTML format uses to produce a fragment with styles inlined. This is also the same sanitization process used in paste operation(ctrl+V). From: Yoav Weiss (@Shopify) Sent: Tuesday, February 27, 2024 1:30 PM To: Anupam Snigdha Cc: Daniel Bratell ; Chris Harrelson ; Thomas Steiner ; Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Tue, Feb 27, 2024 at 10:18 PM Anupam Snigdha mailto:sni...@microsoft.com>> wrote: I noticed that the tests here are marked as "tentative". Is the sanitizer part of this specified? Since there is no consensus on the clipboard sanitization, the tests are marked as tentative for now. We had discussions<https://github.com/w3c/clipboard-apis/issues/150> <https://github.com/w3c/clipboard-apis/issues/150> in the past to standardize the sanitization process (in the context of HTML), but were not able to get consensus<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> Oh my.. While consensus does seem elusive in this case, do you think it'd be possible to specify what we're shipping here, even if we can't standardize it right away? from other browser vendors. With the new Sanitizer API<https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can standardize the sanitization process and make it consistent for all formats in the clipboard. From: Yoav Weiss (@Shopify) mailto:yoavwe...@chromium.org>> Sent: Tuesday, February 27, 2024 1:06 PM To: Daniel Bratell mailto:bratel...@gmail.com>> Cc: Chris Harrelson mailto:chris...@chromium.org>>; Anupam Snigdha mailto:sni...@microsoft.com>>; Thomas Steiner mailto:to...@google.com>>; Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org> mailto:christin...@chromium.org>>; etiennen...@chromium.org<mailto:etiennen...@chromium.org> mailto:etiennen...@chromium.org>>; Sanket Joshi (EDGE) mailto:sa...@microsoft.com>> Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell mailto:bratel...@gmail.com>> wrote: LGTM Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS still apply, but this still seems ready to ship. /Daniel On 2024-02-23 19:14, Chris Harrelson wrote: My LGTM still stands, and have recorded it in the tool. On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev mailto:blink-dev@chromium.org>> wrote: Gentle ping.. Received signoffs for all review gates for this feature. From: Anupam Snigdha mailto:sni...@microsoft.com>> Sent: Monday, February 12, 2024 10:37 AM To: Thomas Steiner mailto:to...@google.com>>; Chris Harrelson mailto:chris...@chromium.org>> Cc: Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; yoav...@chromium.org<mailto:yoav...@chromium.org> mailto:yoavwe...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org> mailto:christin...@chromium.org>>; etiennen...@chromium.org<mailto:etiennen...@chromium.org>
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
On Tue, Feb 27, 2024 at 10:18 PM Anupam Snigdha wrote: > I noticed that the tests here are marked as "tentative". Is the > sanitizer part of this specified? > > Since there is no consensus on the clipboard sanitization, the tests are > marked as tentative for now. We had discussions > <https://github.com/w3c/clipboard-apis/issues/150> > <https://github.com/w3c/clipboard-apis/issues/150>in the past to > standardize the sanitization process (in the context of HTML), but were not > able to get consensus > <https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> > Oh my.. While consensus does seem elusive in this case, do you think it'd be possible to specify what we're shipping here, even if we can't standardize it right away? from other browser vendors. > > With the new Sanitizer API > <https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can > standardize the sanitization process and make it consistent for all formats > in the clipboard. > > -- > *From:* Yoav Weiss (@Shopify) > *Sent:* Tuesday, February 27, 2024 1:06 PM > *To:* Daniel Bratell > *Cc:* Chris Harrelson ; Anupam Snigdha < > sni...@microsoft.com>; Thomas Steiner ; Evan Stade < > est...@chromium.org>; Anupam Snigdha ; 一丝 < > yio...@gmail.com>; blink-dev ; > sligh...@chromium.org ; svo...@gmail.com < > s...@voisen.org>; pwn...@chromium.org ; Marijn > Kruisselbrink ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > > On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell > wrote: > > LGTM > > Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS > still apply, but this still seems ready to ship. > > /Daniel > On 2024-02-23 19:14, Chris Harrelson wrote: > > My LGTM still stands, and have recorded it in the tool. > > On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev < > blink-dev@chromium.org> wrote: > > Gentle ping.. Received signoffs for all review gates for this feature. > -- > *From:* Anupam Snigdha > *Sent:* Monday, February 12, 2024 10:37 AM > *To:* Thomas Steiner ; Chris Harrelson < > chris...@chromium.org> > *Cc:* Evan Stade ; Anupam Snigdha < > snianu.micros...@gmail.com>; 一丝 ; blink-dev < > blink-dev@chromium.org>; sligh...@chromium.org ; > svo...@gmail.com ; pwn...@chromium.org < > pwn...@chromium.org>; Marijn Kruisselbrink ; > yoav...@chromium.org ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > I've made some changes > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574>to > address the loss of styles and other formatting issues during write. During > read, if the authors have added `image/svg+xml` to the `unsanitized` list, > then the SVG image content is returned without any strict processing by the > browser. By-default, read processes the `image/svg+xml`using the strict > HTML fragment parser that inlines the styles and strips out certain tags > that may be security sensitive. > > I noticed that the tests here are marked as "tentative". Is the sanitizer > part of this specified? > > I have started the privacy/security reviews for this change. Thanks! > > -Anupam > -- > *From:* Thomas Steiner > *Sent:* Friday, February 2, 2024 12:45 AM > *To:* Chris Harrelson > *Cc:* Evan Stade ; Anupam Snigdha < > snianu.micros...@gmail.com>; 一丝 ; blink-dev < > blink-dev@chromium.org>; sligh...@chromium.org ; > svo...@gmail.com ; pwn...@chromium.org < > pwn...@chromium.org>; Marijn Kruisselbrink ; > yoav...@chromium.org ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; Anupam Snigdha ; > christin...@chromium.org ; > etiennen...@chromium.org > *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg > > Regarding developer interest, there's definitely some false positives in > there, but a quick GitHub search > <https://github.com/search?type=code=%22navigat
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
I noticed that the tests here are marked as "tentative". Is the sanitizer part of this specified? Since there is no consensus on the clipboard sanitization, the tests are marked as tentative for now. We had discussions<https://github.com/w3c/clipboard-apis/issues/150> <https://github.com/w3c/clipboard-apis/issues/150> in the past to standardize the sanitization process (in the context of HTML), but were not able to get consensus<https://github.com/w3c/clipboard-apis/issues/150#issuecomment-974594001> from other browser vendors. With the new Sanitizer API<https://wicg.github.io/sanitizer-api/#sanitizer-api>, hopefully we can standardize the sanitization process and make it consistent for all formats in the clipboard. From: Yoav Weiss (@Shopify) Sent: Tuesday, February 27, 2024 1:06 PM To: Daniel Bratell Cc: Chris Harrelson ; Anupam Snigdha ; Thomas Steiner ; Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell mailto:bratel...@gmail.com>> wrote: LGTM Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS still apply, but this still seems ready to ship. /Daniel On 2024-02-23 19:14, Chris Harrelson wrote: My LGTM still stands, and have recorded it in the tool. On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev mailto:blink-dev@chromium.org>> wrote: Gentle ping.. Received signoffs for all review gates for this feature. From: Anupam Snigdha mailto:sni...@microsoft.com>> Sent: Monday, February 12, 2024 10:37 AM To: Thomas Steiner mailto:to...@google.com>>; Chris Harrelson mailto:chris...@chromium.org>> Cc: Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; yoav...@chromium.org<mailto:yoav...@chromium.org> mailto:yoavwe...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org> mailto:mk...@chromium.org>>; Joshua Bell mailto:jsb...@chromium.org>>; christin...@chromium.org<mailto:christin...@chromium.org> mailto:christin...@chromium.org>>; etiennen...@chromium.org<mailto:etiennen...@chromium.org> mailto:etiennen...@chromium.org>>; Sanket Joshi (EDGE) mailto:sa...@microsoft.com>> Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg I've made some changes<https://chromium-review.googlesource.com/c/chromium/src/+/5277574> <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> to address the loss of styles and other formatting issues during write. During read, if the authors have added `image/svg+xml` to the `unsanitized` list, then the SVG image content is returned without any strict processing by the browser. By-default, read processes the `image/svg+xml`using the strict HTML fragment parser that inlines the styles and strips out certain tags that may be security sensitive. I noticed that the tests here are marked as "tentative". Is the sanitizer part of this specified? I have started the privacy/security reviews for this change. Thanks! -Anupam From: Thomas Steiner mailto:to...@google.com>> Sent: Friday, February 2, 2024 12:45 AM To: Chris Harrelson mailto:chris...@chromium.org>> Cc: Evan Stade mailto:est...@chromium.org>>; Anupam Snigdha mailto:snianu.micros...@gmail.com>>; 一丝 mailto:yio...@gmail.com>>; blink-dev mailto:blink-dev@chromium.org>>; sligh...@chromium.org<mailto:sligh...@chromium.org> mailto:slightly...@chromium.org>>; svo...@gmail.com<mailto:svo...@gmail.com> mailto:s...@voisen.org>>; pwn...@chromium.org<mailto:pwn...@chromium.org> mailto:pwn...@chromium.org>>; Marijn Kruisselbrink mailto:m...@chromium.org>>; yoav...@chromium.org<mailto:yoav...@chromium.org> mailto:yoavwe...@chromium.org>>; huang...@chromium.org<mailto:huang...@chromium.org> mailto:huangdar...@chromium.org>>; mk...@chromium.org<mailto:mk...@chromium.org>
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
On Fri, Feb 23, 2024 at 7:40 PM Daniel Bratell wrote: > LGTM > > Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS > still apply, but this still seems ready to ship. > > /Daniel > On 2024-02-23 19:14, Chris Harrelson wrote: > > My LGTM still stands, and have recorded it in the tool. > > On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev < > blink-dev@chromium.org> wrote: > >> Gentle ping.. Received signoffs for all review gates for this feature. >> -- >> *From:* Anupam Snigdha >> *Sent:* Monday, February 12, 2024 10:37 AM >> *To:* Thomas Steiner ; Chris Harrelson < >> chris...@chromium.org> >> *Cc:* Evan Stade ; Anupam Snigdha < >> snianu.micros...@gmail.com>; 一丝 ; blink-dev < >> blink-dev@chromium.org>; sligh...@chromium.org ; >> svo...@gmail.com ; pwn...@chromium.org < >> pwn...@chromium.org>; Marijn Kruisselbrink ; >> yoav...@chromium.org ; huang...@chromium.org < >> huangdar...@chromium.org>; mk...@chromium.org ; >> Joshua Bell ; christin...@chromium.org < >> christin...@chromium.org>; etiennen...@chromium.org < >> etiennen...@chromium.org>; Sanket Joshi (EDGE) >> *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: >> Svg >> >> I've made some changes >> <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> >> <https://chromium-review.googlesource.com/c/chromium/src/+/5277574>to >> address the loss of styles and other formatting issues during write. During >> read, if the authors have added `image/svg+xml` to the `unsanitized` list, >> then the SVG image content is returned without any strict processing by the >> browser. By-default, read processes the `image/svg+xml`using the strict >> HTML fragment parser that inlines the styles and strips out certain tags >> that may be security sensitive. >> > I noticed that the tests here are marked as "tentative". Is the sanitizer part of this specified? > I have started the privacy/security reviews for this change. Thanks! >> >> -Anupam >> -- >> *From:* Thomas Steiner >> *Sent:* Friday, February 2, 2024 12:45 AM >> *To:* Chris Harrelson >> *Cc:* Evan Stade ; Anupam Snigdha < >> snianu.micros...@gmail.com>; 一丝 ; blink-dev < >> blink-dev@chromium.org>; sligh...@chromium.org ; >> svo...@gmail.com ; pwn...@chromium.org < >> pwn...@chromium.org>; Marijn Kruisselbrink ; >> yoav...@chromium.org ; huang...@chromium.org < >> huangdar...@chromium.org>; mk...@chromium.org ; >> Joshua Bell ; Anupam Snigdha ; >> christin...@chromium.org ; >> etiennen...@chromium.org >> *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg >> >> Regarding developer interest, there's definitely some false positives in >> there, but a quick GitHub search >> <https://github.com/search?type=code=%22navigator.clipboard.write%22+%22new+ClipboardItem%22+%22image%2Fsvg%2Bxml%22> >> demonstrates >> that quite a few developers attempt to write `image/svg+xml` onto the >> clipboard. (Including my own app, SVGcode >> <https://github.com/tomayac/SVGcode/blob/702767e6cfc4cb8f65ef7bed3f4f48816876b673/src/js/clipboard.js#L65-L144> >> ). >> >> On Thu, Feb 1, 2024 at 11:45 PM Chris Harrelson >> wrote: >> >> >> >> On Thu, Feb 1, 2024 at 2:43 PM Evan Stade wrote: >> >> My understanding is that SVG support got lost in a personnel shuffle and >> that we would like to ship it in theory. This comment >> <https://bugs.chromium.org/p/chromium/issues/detail?id=1110511#c32> has >> some more context, the takeaways being that: >> >>- we need to be more sure of the implementation >>- we need partner confirmation, i.e. addressing "LGTM3 with the >>caveat that we should only flip this flag to ship if big customers like >>Sean's team are able to use this successfully to minimally cover their >>needs." >> >> From my perspective the LGTMs are no longer caveated. I think there is >> enough evidence of demand to just do it. >> >> >> No one has done that outreach as of yet. >> >> -- Evan Stade >> >> >> On Thu, Feb 1, 2024 at 2:35 PM Chris Harrelson >> wrote: >> >> Hi, >> >> From my perspective, you still have 3 LGTMs to ship from the API owners. >> However, please fill out the cross-functional reviews for privacy, >> security, etc that have been ad
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
LGTM Not sure if it's LGTM2 or LGTM4 since that depends on if the 2021 LGTMS still apply, but this still seems ready to ship. /Daniel On 2024-02-23 19:14, Chris Harrelson wrote: My LGTM still stands, and have recorded it in the tool. On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev wrote: Gentle ping.. Received signoffs for all review gates for this feature. *From:* Anupam Snigdha *Sent:* Monday, February 12, 2024 10:37 AM *To:* Thomas Steiner ; Chris Harrelson *Cc:* Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; yoav...@chromium.org ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg I've made some changes <https://chromium-review.googlesource.com/c/chromium/src/+/5277574><https://chromium-review.googlesource.com/c/chromium/src/+/5277574>to address the loss of styles and other formatting issues during write. During read, if the authors have added `image/svg+xml` to the `unsanitized` list, then the SVG image content is returned without any strict processing by the browser. By-default, read processes the `image/svg+xml`using the strict HTML fragment parser that inlines the styles and strips out certain tags that may be security sensitive. I have started the privacy/security reviews for this change. Thanks! -Anupam *From:* Thomas Steiner *Sent:* Friday, February 2, 2024 12:45 AM *To:* Chris Harrelson *Cc:* Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; yoav...@chromium.org ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; Anupam Snigdha ; christin...@chromium.org ; etiennen...@chromium.org *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg Regarding developer interest, there's definitely some false positives in there, but a quick GitHub search <https://github.com/search?type=code=%22navigator.clipboard.write%22+%22new+ClipboardItem%22+%22image%2Fsvg%2Bxml%22> demonstrates that quite a few developers attempt to write `image/svg+xml` onto the clipboard. (Including my own app, SVGcode <https://github.com/tomayac/SVGcode/blob/702767e6cfc4cb8f65ef7bed3f4f48816876b673/src/js/clipboard.js#L65-L144>). On Thu, Feb 1, 2024 at 11:45 PM Chris Harrelson wrote: On Thu, Feb 1, 2024 at 2:43 PM Evan Stade wrote: My understanding is that SVG support got lost in a personnel shuffle and that we would like to ship it in theory. This comment <https://bugs.chromium.org/p/chromium/issues/detail?id=1110511#c32> has some more context, the takeaways being that: * we need to be more sure of the implementation * we need partner confirmation, i.e. addressing "LGTM3 with the caveat that we should only flip this flag to ship if big customers like Sean's team are able to use this successfully to minimally cover their needs." From my perspective the LGTMs are no longer caveated. I think there is enough evidence of demand to just do it. No one has done that outreach as of yet. -- Evan Stade On Thu, Feb 1, 2024 at 2:35 PM Chris Harrelson wrote: Hi, From my perspective, you still have 3 LGTMs to ship from the API owners. However, please fill out the cross-functional reviews for privacy, security, etc that have been added to the process since this intent was created. If that doesn't seem possible with your existing chromestatus entry, let me know or just create a new one and I'll LGTM it after those reviews have started. On Thu, Feb 1, 2024 at 1:38 PM Anupam Snigdha wrote: Thanks Chris! cc'ing estade@. I think Darwin and Victor are not working on clipboard anymore so this feature was stalled. Recently another bug was opened (https://bugs.chromium.org/p/chromium/issues/detail?id=1410321) where support for copying/pasting svg images is needed. More discussions: htt
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
My LGTM still stands, and have recorded it in the tool. On Fri, Feb 23, 2024 at 10:01 AM 'Anupam Snigdha' via blink-dev < blink-dev@chromium.org> wrote: > Gentle ping.. Received signoffs for all review gates for this feature. > -- > *From:* Anupam Snigdha > *Sent:* Monday, February 12, 2024 10:37 AM > *To:* Thomas Steiner ; Chris Harrelson < > chris...@chromium.org> > *Cc:* Evan Stade ; Anupam Snigdha < > snianu.micros...@gmail.com>; 一丝 ; blink-dev < > blink-dev@chromium.org>; sligh...@chromium.org ; > svo...@gmail.com ; pwn...@chromium.org < > pwn...@chromium.org>; Marijn Kruisselbrink ; > yoav...@chromium.org ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; christin...@chromium.org < > christin...@chromium.org>; etiennen...@chromium.org < > etiennen...@chromium.org>; Sanket Joshi (EDGE) > *Subject:* Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: > Svg > > I've made some changes > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> > <https://chromium-review.googlesource.com/c/chromium/src/+/5277574>to > address the loss of styles and other formatting issues during write. During > read, if the authors have added `image/svg+xml` to the `unsanitized` list, > then the SVG image content is returned without any strict processing by the > browser. By-default, read processes the `image/svg+xml`using the strict > HTML fragment parser that inlines the styles and strips out certain tags > that may be security sensitive. > I have started the privacy/security reviews for this change. Thanks! > > -Anupam > -- > *From:* Thomas Steiner > *Sent:* Friday, February 2, 2024 12:45 AM > *To:* Chris Harrelson > *Cc:* Evan Stade ; Anupam Snigdha < > snianu.micros...@gmail.com>; 一丝 ; blink-dev < > blink-dev@chromium.org>; sligh...@chromium.org ; > svo...@gmail.com ; pwn...@chromium.org < > pwn...@chromium.org>; Marijn Kruisselbrink ; > yoav...@chromium.org ; huang...@chromium.org < > huangdar...@chromium.org>; mk...@chromium.org ; > Joshua Bell ; Anupam Snigdha ; > christin...@chromium.org ; > etiennen...@chromium.org > *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg > > Regarding developer interest, there's definitely some false positives in > there, but a quick GitHub search > <https://github.com/search?type=code=%22navigator.clipboard.write%22+%22new+ClipboardItem%22+%22image%2Fsvg%2Bxml%22> > demonstrates > that quite a few developers attempt to write `image/svg+xml` onto the > clipboard. (Including my own app, SVGcode > <https://github.com/tomayac/SVGcode/blob/702767e6cfc4cb8f65ef7bed3f4f48816876b673/src/js/clipboard.js#L65-L144> > ). > > On Thu, Feb 1, 2024 at 11:45 PM Chris Harrelson > wrote: > > > > On Thu, Feb 1, 2024 at 2:43 PM Evan Stade wrote: > > My understanding is that SVG support got lost in a personnel shuffle and > that we would like to ship it in theory. This comment > <https://bugs.chromium.org/p/chromium/issues/detail?id=1110511#c32> has > some more context, the takeaways being that: > >- we need to be more sure of the implementation >- we need partner confirmation, i.e. addressing "LGTM3 with the caveat >that we should only flip this flag to ship if big customers like Sean's >team are able to use this successfully to minimally cover their needs." > > From my perspective the LGTMs are no longer caveated. I think there is > enough evidence of demand to just do it. > > > No one has done that outreach as of yet. > > -- Evan Stade > > > On Thu, Feb 1, 2024 at 2:35 PM Chris Harrelson > wrote: > > Hi, > > From my perspective, you still have 3 LGTMs to ship from the API owners. > However, please fill out the cross-functional reviews for privacy, > security, etc that have been added to the process since this intent was > created. If that doesn't seem possible with your existing chromestatus > entry, let me know or just create a new one and I'll LGTM it after those > reviews have started. > > On Thu, Feb 1, 2024 at 1:38 PM Anupam Snigdha > wrote: > > Thanks Chris! > cc'ing estade@. > I think Darwin and Victor are not working on clipboard anymore so this > feature was stalled. > > Recently another bug was opened ( > https://bugs.chromium.org/p/chromium/issues/detail?id=1410321) where > support for copying/pasting svg images is needed. More discussions: > https://boxy-svg.com/ideas/268/paste-images-from-the-system-clipboard#comment-2313 > Since this I2S was LGTM'd with the caveat that Adobe is able to use this &
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
Gentle ping.. Received signoffs for all review gates for this feature. From: Anupam Snigdha Sent: Monday, February 12, 2024 10:37 AM To: Thomas Steiner ; Chris Harrelson Cc: Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; yoav...@chromium.org ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; christin...@chromium.org ; etiennen...@chromium.org ; Sanket Joshi (EDGE) Subject: Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg I've made some changes<https://chromium-review.googlesource.com/c/chromium/src/+/5277574> <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> to address the loss of styles and other formatting issues during write. During read, if the authors have added `image/svg+xml` to the `unsanitized` list, then the SVG image content is returned without any strict processing by the browser. By-default, read processes the `image/svg+xml`using the strict HTML fragment parser that inlines the styles and strips out certain tags that may be security sensitive. I have started the privacy/security reviews for this change. Thanks! -Anupam From: Thomas Steiner Sent: Friday, February 2, 2024 12:45 AM To: Chris Harrelson Cc: Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; yoav...@chromium.org ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; Anupam Snigdha ; christin...@chromium.org ; etiennen...@chromium.org Subject: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg Regarding developer interest, there's definitely some false positives in there, but a quick GitHub search<https://github.com/search?type=code=%22navigator.clipboard.write%22+%22new+ClipboardItem%22+%22image%2Fsvg%2Bxml%22> demonstrates that quite a few developers attempt to write `image/svg+xml` onto the clipboard. (Including my own app, SVGcode<https://github.com/tomayac/SVGcode/blob/702767e6cfc4cb8f65ef7bed3f4f48816876b673/src/js/clipboard.js#L65-L144>). On Thu, Feb 1, 2024 at 11:45 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: On Thu, Feb 1, 2024 at 2:43 PM Evan Stade mailto:est...@chromium.org>> wrote: My understanding is that SVG support got lost in a personnel shuffle and that we would like to ship it in theory. This comment<https://bugs.chromium.org/p/chromium/issues/detail?id=1110511#c32> has some more context, the takeaways being that: * we need to be more sure of the implementation * we need partner confirmation, i.e. addressing "LGTM3 with the caveat that we should only flip this flag to ship if big customers like Sean's team are able to use this successfully to minimally cover their needs." >From my perspective the LGTMs are no longer caveated. I think there is enough >evidence of demand to just do it. No one has done that outreach as of yet. -- Evan Stade On Thu, Feb 1, 2024 at 2:35 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: Hi, >From my perspective, you still have 3 LGTMs to ship from the API owners. >However, please fill out the cross-functional reviews for privacy, security, >etc that have been added to the process since this intent was created. If that >doesn't seem possible with your existing chromestatus entry, let me know or >just create a new one and I'll LGTM it after those reviews have started. On Thu, Feb 1, 2024 at 1:38 PM Anupam Snigdha mailto:snianu.micros...@gmail.com>> wrote: Thanks Chris! cc'ing estade@. I think Darwin and Victor are not working on clipboard anymore so this feature was stalled. Recently another bug was opened (https://bugs.chromium.org/p/chromium/issues/detail?id=1410321) where support for copying/pasting svg images is needed. More discussions: https://boxy-svg.com/ideas/268/paste-images-from-the-system-clipboard#comment-2313 Since this I2S was LGTM'd with the caveat that Adobe is able to use this format, and I'm not sure if there is any update on that, is it possible to reconsider this I2S if there are other customers like Keynote and Cleanshot X interested in this feature? cc'ing Josh as well to see if there were any internal discussions with Adobe for SVG image support. Thanks! -Anupam On Mon, Nov 13, 2023 at 4:50 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: Thanks for the interest! I agree it would be good to ship this if possible. On Tue, Oct 31, 2023 at 1:22 AM 一丝 mailto:yio...@gmail.com>> wrote: Unfortunately, three LGTMs obtained here did not ship. Can anyone re-continue this process? With Keynote 13.1 supporting the SVG format, this API seems to be the only way to copy and paste SVGs into Keynote in a browser. Could you test with the experimental-web-platform-features chrome
Re: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg
I've made some changes<https://chromium-review.googlesource.com/c/chromium/src/+/5277574> <https://chromium-review.googlesource.com/c/chromium/src/+/5277574> to address the loss of styles and other formatting issues during write. During read, if the authors have added `image/svg+xml` to the `unsanitized` list, then the SVG image content is returned without any strict processing by the browser. By-default, read processes the `image/svg+xml`using the strict HTML fragment parser that inlines the styles and strips out certain tags that may be security sensitive. I have started the privacy/security reviews for this change. Thanks! -Anupam From: Thomas Steiner Sent: Friday, February 2, 2024 12:45 AM To: Chris Harrelson Cc: Evan Stade ; Anupam Snigdha ; 一丝 ; blink-dev ; sligh...@chromium.org ; svo...@gmail.com ; pwn...@chromium.org ; Marijn Kruisselbrink ; yoav...@chromium.org ; huang...@chromium.org ; mk...@chromium.org ; Joshua Bell ; Anupam Snigdha ; christin...@chromium.org ; etiennen...@chromium.org Subject: [EXTERNAL] Re: [blink-dev] Intent to Ship: Clipboard API: Svg Regarding developer interest, there's definitely some false positives in there, but a quick GitHub search<https://github.com/search?type=code=%22navigator.clipboard.write%22+%22new+ClipboardItem%22+%22image%2Fsvg%2Bxml%22> demonstrates that quite a few developers attempt to write `image/svg+xml` onto the clipboard. (Including my own app, SVGcode<https://github.com/tomayac/SVGcode/blob/702767e6cfc4cb8f65ef7bed3f4f48816876b673/src/js/clipboard.js#L65-L144>). On Thu, Feb 1, 2024 at 11:45 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: On Thu, Feb 1, 2024 at 2:43 PM Evan Stade mailto:est...@chromium.org>> wrote: My understanding is that SVG support got lost in a personnel shuffle and that we would like to ship it in theory. This comment<https://bugs.chromium.org/p/chromium/issues/detail?id=1110511#c32> has some more context, the takeaways being that: * we need to be more sure of the implementation * we need partner confirmation, i.e. addressing "LGTM3 with the caveat that we should only flip this flag to ship if big customers like Sean's team are able to use this successfully to minimally cover their needs." >From my perspective the LGTMs are no longer caveated. I think there is enough >evidence of demand to just do it. No one has done that outreach as of yet. -- Evan Stade On Thu, Feb 1, 2024 at 2:35 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: Hi, >From my perspective, you still have 3 LGTMs to ship from the API owners. >However, please fill out the cross-functional reviews for privacy, security, >etc that have been added to the process since this intent was created. If that >doesn't seem possible with your existing chromestatus entry, let me know or >just create a new one and I'll LGTM it after those reviews have started. On Thu, Feb 1, 2024 at 1:38 PM Anupam Snigdha mailto:snianu.micros...@gmail.com>> wrote: Thanks Chris! cc'ing estade@. I think Darwin and Victor are not working on clipboard anymore so this feature was stalled. Recently another bug was opened (https://bugs.chromium.org/p/chromium/issues/detail?id=1410321) where support for copying/pasting svg images is needed. More discussions: https://boxy-svg.com/ideas/268/paste-images-from-the-system-clipboard#comment-2313 Since this I2S was LGTM'd with the caveat that Adobe is able to use this format, and I'm not sure if there is any update on that, is it possible to reconsider this I2S if there are other customers like Keynote and Cleanshot X interested in this feature? cc'ing Josh as well to see if there were any internal discussions with Adobe for SVG image support. Thanks! -Anupam On Mon, Nov 13, 2023 at 4:50 PM Chris Harrelson mailto:chris...@chromium.org>> wrote: Thanks for the interest! I agree it would be good to ship this if possible. On Tue, Oct 31, 2023 at 1:22 AM 一丝 mailto:yio...@gmail.com>> wrote: Unfortunately, three LGTMs obtained here did not ship. Can anyone re-continue this process? With Keynote 13.1 supporting the SVG format, this API seems to be the only way to copy and paste SVGs into Keynote in a browser. Could you test with the experimental-web-platform-features chrome flag turned on, and see if it works as intended for copy and paste from Keynote? 在2021年8月20日星期五 UTC+8 03:15:56mailto:sligh...@chromium.org>> 写道: LGTM3 with the caveat that we should only flip this flag to ship if big customers like Sean's team are able to use this successfully to minimally cover their needs. On Thursday, August 19, 2021 at 11:57:00 AM UTC-7 Chris Harrelson wrote: LGTM2 On Thu, Aug 19, 2021 at 11:46 AM Mike West wrote: LGTM1. I think it's important that we address the TAG's concerns about gesture requirements and other mechanisms which might red