#406: Raw Clipboard Access API
Discussions
Comment by @hober Aug 13, 2019 (See Github)
The link provided to your privacy & security self-assessment 404s. I'd be especially interested in a privacy & security self-assessment that considers the issues raised in dway123/raw-clipboard-access-explainer#3.
Comment by @dway123 Aug 15, 2019 (See Github)
Thank you for the prompt response, and sorry I had missed the privacy and security self-assessment.
I have uploaded the privacy and security self-assessment, and updated the link, so that it should no longer 404. It does now also consider the issues raised in dway123/raw-clipboard-access#3.
Discussed
Sep 1, 2019 (See Github)
Tess: the main security concern I have is that this a new way of exposing untrusted data (from the pasteboard)... In the answer to the questionnaire, they had a great answer to "what should this questionnaire have asked" - which was "does this spec compromise the user's system?" Their proposed mitigation is to put a permissiomn prompt over it. I don't think this is adaquate. People will just say yes because they won't understand the security implications. I'd like to see a more serious mitigation.
David: I agree that is not the sort of question you can explain to a user coherently.
Dan: this is a real dangerous thing because all kinds of info in the clipboard - private info - links, passwords, email addresses, etc...
David: we've always considered the ability to read from the clipboard without an explicit paste gesture to be a security veunerability.
Tess: Dan, why don't you and I each capture our concerns in the issue.
Dan: yes.
Dan: [case where safari prompts with a 2fa code to paste it in]
Tess: in the safari example, the web site doesn't see the 2fa code until the user makes an action to submit it.
[bumped a few weeks and we can pull it into f2f if appropriate
Comment by @dway123 Sep 3, 2019 (See Github)
As an update, I took a quick look at the explainer right before review, and added a few potentially interesting API design issues. I've filed them as issues on the explainer to point them out, and would appreciate if TAG would take a look at them as well. (Discussion regarding privacy and security concerns has been continuing as well). Thanks!
Discussed
Oct 1, 2019 (See Github)
Tess: Not much has happened on our review. Hadley and I had a breakout on this at our F2F in Tokyo... this was a big topic on Friday at TPAC. Haven't seen the minutes from that; I believe it was an interesting discussion that ran late. I'd like to understand the outcome from that discussion.
... Never had a time to talk to Sam about this... just met him very briefly at lunch in Tokyo.
Hadley: I didn't get a chance to talk to anyone atbout this at TPAC either. Would be useful to find out what happened. This was still going on after I left.
Tess: I will try to dig up the minutes on this one.
Peter: Shall we bump this by a week?
Tess: A week sounds good.
Peter: Done.
Discussed
Oct 1, 2019 (See Github)
Tess: We talked about this last week on the call, without having seen the minutes from the TPAC session, have since read these minutes
Tess: I did a very short summary of what I saw on slack the other day, basically, Gecko and WebKit engineers expressed concerns about the security/privacy implications of the API. And as a follow up I was trying to figure out if there was a Moz standards position on this, but there wasn't so I filed one.
Tess: The minutes were quite sparse so I would like to get a bit more info. I will make sure there is a link to the moz standards position issue from the TAG issue.
Dan: What are the main issues?
Tess: Main issue is security - the concern is that allowing web sites to write arbitrary typed concent to the paste board exposes the native apps to untrusted data that could lead to /sandbox escape/ to native apps.
Tess: One possible migiration is to expose the type of what is exposed, so that native apps by default wont read such data unless explicitly opting in. That seemed to be preferred by most people present, but doesn't work for integrating with existing apps that may never be updated.
Tess: Anne said that there had been some concensus the previous TPAC on a different solution that in my opinion sounded more promising.
Tess: One possible mitigation is instead of making it being opt in, would be to put writing to the paste board a permission prompt - but the opposition is that it is difficult explaining that to users.
Tess: I hope that Hadley has also looked at the minutes
Dan: Coming back to this I feel like that these issues have been raised before (looking at explainer) - the security issues are important what what I am most converned about is the notion that the user might have something on their clipboard that is privacy infringing (like password) and then some use switches tab and suddently a web page get access to this. Think about Slack for instance, like for me it has access to a lot, so switching to it might show an prompt.
Dan: I don't see this handled in the explainer - is that already a possibility with async clipboard? Why isn't this mentioned?
Ken: Can you add to the issue?
Dan: Yes, I can make that comme
Discussed
Oct 1, 2019 (See Github)
Tess: Hadley, Dan and I did a breakout on this last week. we didn't get to the agenda item last week.
Dan: output captured in comments :
Tess: I looked into user gesture requirement. We (Safari) has a user gesture restriction. I don't think the spec mandates that.
Tess: re pickling, they had rejected this approach because native apps would have to opt in. I think the more pressing concern should be that adoption of other engines is unlikely because of the security risk.
Dan: no feedback yet - how can we progress?
Tess: at TPAC this was discussed in the editing task force - they may have regular calls. I will look into it.
Peter: we could close this with prejeduce as they're not being responsive. I'm concerned - if there is only one browser interested in this then it sounds like a bigger problem.
Lukasz: only one browser - GC - right? Do we have any formal power to give a failing grade?
Dan: give them one more week?
Dan: let some feedbac
Comment by @travisleithead Oct 3, 2019 (See Github)
FYI: Minutes just posted to Editing TF list. For Raw Clipboard, scroll down to:
12:24 AM Topic: Raw Clipboard Access
https://lists.w3.org/Archives/Public/public-editing-tf/2019Oct/0004.html
Comment by @hober Oct 3, 2019 (See Github)
Thanks @travisleithead!
Comment by @torgo Oct 15, 2019 (See Github)
We are discussing in a TAG breakout with @hadleybeeman @hober and me today. Major concerns here with the privacy and security aspects of this and possibly with async clipboard API #222 as well.
One concern we see is the following (ab)use case:
- User copies some text (say a URL) in order to paste it into another application. That URL remains in the clipboard.
- Later, the user returns to a tab where clipboard access permission had already been granted (user activation).
- This text in the pasteboard (the URL) is now available to the web application running in this tab - the application harvests this data and adds it to the user profile and proceeds to spin ads to the user based on the contents of that URL.
I think we raised this and similar issues in our review of Async Clipboard (see comment from @triblondon https://github.com/w3ctag/design-reviews/issues/222#issuecomment-379436560). The feedback from that review was registered in clipboard API in a few issues there that are still open:
https://github.com/w3c/clipboard-apis/issues/52 User gesture requirement for Clipboard API access
https://github.com/w3c/clipboard-apis/issues/51 Clipboard Permission
https://github.com/w3c/clipboard-apis/issues/78 Explicitly require current focused document check in algorithm
...which seem related.
Considering that the raw clipboard access adds additional power to the clipboard API, and that these privacy and security issues remain unresolved in the clipboard API itself, it seems even more important that those issues are resolved and that the types of data leakage that I've outline above are locked down. Any comment, @dway123 or @garykac?
Comment by @hober Oct 15, 2019 (See Github)
The writing-native-exploit-onto-the-pasteboard concern https://github.com/dway123/raw-clipboard-access/issues/3 is very serious, and engineers from multiple browser engines have stated that (1) the current approach is a non-starter due to this problem, and (2) that a pickling approach would be far more palatable. See https://github.com/dway123/raw-clipboard-access/issues/3, https://github.com/mozilla/standards-positions/issues/206, and the most recent TPAC minutes for examples.
In your explainer, you say (emphasis mine):
Pickling was not chosen as it does not meet the requirements desired for raw clipboard access. Namely, interoperability between native and web applications could not be assured within a reasonable time-frame through pickling.
Rephrasing, your concern with pickling is with adoption. Perhaps a more pressing adoption concern is that, without pickling, your API is unlikely to be adopted by other browser engines?
Comment by @torgo Oct 23, 2019 (See Github)
@dway123 @garykac any feedback on the above? We're trying to provide some input in a timely and useful fashion here but we really need your feedback on the issues raised above in order to progress this. Thanks.
Comment by @dway123 Oct 24, 2019 (See Github)
Thank you for the feedback, and sorry we haven't responded yet. I'll provide a response next week, as we'd like some time to collect our thoughts and provide an appropriate response.
Comment by @dway123 Oct 31, 2019 (See Github)
Thank you for the review.
Re: privacy concerns via user activation (@torgo):
Yes, we have discussed user activation requirements, and recognize that user activation could lock down that abuse case. The Chrome team has been actively investigating mentioned mitigations, including an expiring/ephemeral permission and user activation requirements, and has implemented and helped specify the document focus requirement. That said, there are several use cases (remote desktop applications and custom context menus) that would break with a user activation requirement, so we think it would be overly restrictive to require this. I’ll also place some responses in the tagged issues.
Re: security concerns and native exploits (@hober):
We’ve seen significant user and developer demand on the web for interoperability with native applications’ clipboards, and would like to provide a safe mechanism to do so. Pickling unfortunately does not meet these compatibility requirements with legacy native applications (explainer section). That said, pickling is probably worth pursuing in parallel to address separate use cases, but we currently find it to be lower priority, and the raw clipboard access API design shouldn’t preclude pickling.
Raw clipboard access opens up a similar surface as Downloads, where data may touch legacy native surfaces without sanitization. We are interested in pursuing this approach despite more difficult security implications due to expressed demand, and we should be able to secure the Clipboard in a similar way as Downloads. We are exploring the use of a clipboard mark of the web (TPAC minutes), safe browsing, and other familiar protections used in Downloads.
We’ve also filed some potential concerns as issues in the repository. Is there any feedback on those issues? Thanks!
Discussed
Nov 1, 2019 (See Github)
Dan: I reached out to Alex Russell and Rick Byers 3 weeks ago and haven't heard back. Also no feedback from Darwin after my and Tess' feedback. Schedule for F2F and get them on the line or there in person?
Do we have visibility on whether these issues are being addressed?
Alice: Let me check whether I have gotten any email on the subject.
Dan: It poeple actually working in this or is it one of these issues that just fades away and wastes out time. Suggestion is to move this to F2F and I will press to get someone to join us.
Comment by @torgo Nov 2, 2019 (See Github)
Hi @dway123 I don't quite know where to go with this. Speaking for myself, I see this kind of privacy guarantee is a sine-qua-non for the web. I would never knowingly use a web browser that allowed this kind of access to my copy-paste buffer and I would certainly never want to foist this on a the general population of web users. I don't really understand how Chrome can be even considering this, considering the myriad of ways this could be (and will be) abused. I'm fairly certain the TAG consensus would be the same. I think this is a really good example of how "move fast and break things" is not a good approach for addition of new APIs to the web.
Comment by @hober Dec 5, 2019 (See Github)
Re: security concerns and native exploits (@hober):
Raw clipboard access opens up a similar surface as Downloads, where data may touch legacy native surfaces without sanitization. We are interested in pursuing this approach despite more difficult security implications due to expressed demand, and we should be able to secure the Clipboard in a similar way as Downloads.
I don't find this a promising rationale; consider @othermaciej's feedback on WICG/raw-clipboard-access#3:
Downloads are one of the most dangerous features of the web platform, in terms of opportunities to escape the sandbox and install persistent malware. So saying this is just like downloads is not very encouraging!
Further, many defenses around downloads are not sensibly applicable to copy/paste, or would create a serious privacy problem if implemented. For example, opening a downloaded file requires an action in native API and creates an opportunity to prompt. But merely copying malformed data in an arbitrary format can already expose the system clipboard/pasteboard surface to security vulnerabilities. A prompt before copying is both an inadequate defense ("opening this downloaded file may be dangerous" is much more understandable than "copying this data to the pasteboard may be dangerous"), and a major usability hit. Download protection via Safe Browsing is done in a way that gives a central service (run by Google) information about anything downloaded ever. We at Apple are uncomfortable with giving Google that info about every download, but every copy operation would be that much worse! Downloads are generally from an enumerable set created up front. But copy/paste data is very personal, often user created, and it would not be appropriate to update info about it (even such info as hash, length, or what web app the user was using) to a central service.
Finally, "assume that our security teams can figure out similar solutions" is not an adequate security story for a new web API that presents serious security risk. The security defenses need to be spelled out and reviewed. There are many reasons to think that copying the approach of downloads would not be an adequate solution.
Comment by @torgo Dec 14, 2019 (See Github)
@dway123 we discussed this topic in the last f2f with @slightlyoff in the "Fugu" discussion and it's my understanding there has been a project Fugu meeting of some kind since then. Has there been any progress since then on this topic? Our specific request (from the f2f minutes) was :
Alex: To get back to the specific request: to expand security and privacy section: expand the abuse cases, and mitigations, spelled out in a way that's understandable to someone not familiar with the API.
So, for example, can you ensure it spells out how this API could be used to gain access to the user's clipboard without their knowledge / explicit action, some of the potential ways that could be used to gain access to private information (e.g. if they have a password or other personally identifiable information in their clipboard), how the spec normatively mitigates against these outcomes and what non-normative guidance there might be around this that could additionally mitigate?
Additionally, we are looking for some progress on the "pickling" issue that @hober has described above. Is there a "middle ground" that could be struck?
Comment by @dway123 Dec 17, 2019 (See Github)
Sorry for the late response. We’ve been in discussions with Chrome privacy/security since then, as well as with @slightlyoff.
We’ve decided that we may start with a more restrictive API surface, and later reconsider opening things up. As such, we’ll likely gate API use on user activation, via the user activation API, and are taking a deeper look at Pickling. We will send out an explainer for Pickling, either as an alternative to Raw Clipboard, or as a supplement.
Regarding abuse cases, we did mention this in our design document, which was intended as a longer, more technical (and sometimes Chromium-specific) version of the easy-to-digest explainer, but which unfortunately wasn’t linked at the top of my explainer.
I originally opted to exclude longer discussions of security and privacy from the explainer and TAG process as the TAG explainer explainer, which while very helpful, did omit a Security and Privacy section, and was clear that this document should be “brief and easy”, but after similar repeated questions, will soon release a more fleshed out security/privacy considerations document.
Comment by @hober Dec 18, 2019 (See Github)
@dway123 wrote:
We’ve decided that we may start with a more restrictive API surface, and later reconsider opening things up.
Great. This sounds really promising!
As such, we’ll likely gate API use on user activation, via the user activation API, and are taking a deeper look at Pickling. We will send out an explainer for Pickling, either as an alternative to Raw Clipboard, or as a supplement.
I encourage you to pursue a pickling solution first, as it's more likely to see cross-browser adoption, and then perhaps revisit raw access later.
Regarding abuse cases, we did mention this in our design document, which was intended as a longer, more technical (and sometimes Chromium-specific) version of the easy-to-digest explainer, but which unfortunately wasn’t linked at the top of my explainer.
Thanks for this; this is a really interesting document. There are documents linked from it that sound tantalizing but unfortunately aren't public, e.g. the document linked in the sentence beginning "there are concerns regarding this lack of explicit user activation".
I originally opted to exclude longer discussions of security and privacy from the explainer and TAG process as the TAG explainer explainer, which while very helpful, did omit a Security and Privacy section, and was clear that this document should be “brief and easy”,
I think that's fair. The explainer explainer does say this:
As your work progresses, the explainer can help facilitate multi-stakeholder discussion and consensus-building by making clear:[…]
- accessibility, security and privacy implications which have been considered as part of the design process.
... but it could go a lot farther, and should more strongly encourage explainer authors to elaborate on the privacy and security thoughts that have gone into the design. I've filed w3ctag/w3ctag.github.io#21 to track this.
Comment by @hadleybeeman Mar 3, 2020 (See Github)
Hi @dway123 - we are picking this up in the context of our Wellington W3CTAG F2F. We appreciate your last comment, saying that the work on the spec has been addressing the concerns we've raised before. We're hoping you can help us see where and how this is being addressed in the spec.
Specifically, it looks like the following issues on clipboard access itself are still open:
- w3c/clipboard-apis#52 User gesture requirement for Clipboard API access
- w3c/clipboard-apis#51 Clipboard Permission
- w3c/clipboard-apis#78 Explicitly require
And that this issue on raw clipboard access:
- https://github.com/WICG/raw-clipboard-access/issues/3 Allowing raw clipboard access is not acceptable for privacy & security
...is also still open and hasn't had any recent activity.
Can you provide some more info on what's happening?
Comment by @dway123 Mar 11, 2020 (See Github)
Hi @hadleybeeman - sorry for the lack of update, and thank you for following up.
After more internal discussion, we've decided we need to experiment with and discuss/document this API proposal more before continuing the TAG review, and suggesting changes for the specification.
Can we please close this review, and re-open via a new review when we're ready to continue? Thank you all for your time and thoughts in discussing and providing feedback on this API so far! I understand the potential for abuse has been very concerning, so this review has likely been more difficult and involved than usual.
Comment by @cynthia Mar 12, 2020 (See Github)
Sure thing!
OpenedAug 13, 2019
こんにちはTAG!
I'm requesting a TAG review of:
Further details:
We recommend the explainer to be in Markdown. On top of the usual information expected in the explainer, it is strongly recommended to add:
You should also know that...
The previous TAG review for the Async Clipboard API, which this is built on is here.
We'd prefer the TAG provide feedback as (please select one):
Please preview the issue and check that the links work before submitting. In particular, if anything links to a URL which requires authentication (e.g. Google document), please make sure anyone with the link can access the document.
¹ For background, see our explanation of how to write a good explainer.