Apple’s WebKit team recently updated the Mac Clipboard API. The API lets websites support access to the system clipboard (or pasteboard as it’s known on Mac, I had no idea). Among the updates include image conversion and certain security enhancements.
Image Conversion
Many websites don’t support the TIFF file format. Tagged Image File Format is a photo format widely used by photographers and graphic designers. WebKit can now automatically convert TIFF images to PNG images, and expose PNG images as files when there are images in the pasteboard.
Security Fixes
A security fix, or rather enhancement, involves HTML code. HTML is widely used around the web. However, letting websites write HTML to the pasteboard can be risky. Sometimes HTML can contain certain elements and could execute malicious code.
But letting websites read HTML from the pasteboard can also be a problem. Some word processors and spreadsheet apps put privacy-sensitive information in the pasteboard. This can include local files paths and user information.
For example, if you typed “12345” in a document and copied/pasted it into a website, the website might be able to figure out your Mac’s local home directory path if the raw HTML was exposed.
The new update sanitizes HTML read from and written to the pasteboard. Now, when a website tries to write HTML to the pasteboard, the system will first paste the HTML into a dummy document, re-serialize it to HTML, then write the new HTML code into the pasteboard. This ensures that risky HTML elements will be removed.
Further updates to the Mac Clipboard API can be found on the WebKit blog.
I’m not sure how local path information would be included with copied text – this is alarming! Text is text – maybe some formatting information, but the rest is VERY troubling – either spyware or a security hole as wide as the no-password root access bug.
Just what goes on with web browsers? Are they spyware plain and simple?