Currently during async clipboard write operation, there is no way for the web authors to detect if a particular mime type is supported by the UAs or not before attempting to actually write the formats to the clipboard. This not only affects developer ergonomics as now web authors have to attempt to write to the clipboard first in order to find out whether write failed due to a particular mime type not supported by the UAs (or sometimes add version checks that are unreliable at best), but also leads to unnecessary cost in terms of CPU cycles, COGS etc in order to produce an expensive web custom format which may not be supported by a particular browser.
None
N/A
N/A
N/A
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A
Existing devtools support should be sufficient to query the static method from ClipboardItem.
Shipping on desktop
|
119
|
DevTrial on desktop
|
119
|
Shipping on Android
|
119
|
DevTrial on Android
|
119
|
On Sep 19, 2023, at 2:12, 'Anupam Snigdha' via blink-dev <blin...@chromium.org> wrote:
Contact emails
sni...@microsoft.com, sa...@microsoft.com, est...@chromium.org, jsb...@chromium.org, asu...@chromium.org
Explainer
Specification
Summary
Currently during async clipboard write operation, there is no way for the web authors to detect if a particular mime type is supported by the UAs or not before attempting to actually write the formats to the clipboard. This not only affects developer ergonomics as now web authors have to attempt to write to the clipboard first in order to find out whether write failed due to a particular mime type not supported by the UAs (or sometimes add version checks that are unreliable at best), but also leads to unnecessary cost in terms of CPU cycles, COGS etc in order to produce an expensive web custom format which may not be supported by a particular browser.
Blink component
Search tags
TAG review
None
TAG review status
Not applicable
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BY5PR00MB08403037ADC9DD9A11BB4603CFFBA%40BY5PR00MB0840.namprd00.prod.outlook.com.
Why is it not applicable?
You don't often get email from s...@chromium.org.
Learn why this is important
|
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CH2PR00MB0841C834F1E79CD70FF81114CFFAA%40CH2PR00MB0841.namprd00.prod.outlook.com.
Thanks Chris for the clarification!Filed TAG review: https://github.com/w3ctag/design-reviews/issues/901
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BY5PR00MB08403037ADC9DD9A11BB4603CFFBA%40BY5PR00MB0840.namprd00.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
This proposal provides an `unsanitized` option in read() method to get the unsanitized HTML format. Unless sites explicitly opt-into reading the unsanitized HTML, they will get the sanitized HTML content by-default. Currently, when we read text/html MIME type using the async API, the sanitizer is invoked to strip out contents from the HTML markup due to security concerns, and styles are inlined into the HTML markup, which leads to a bloated HTML payload and loss of fidelity of HTML content when read by web authors or native apps. Firefox provides access to unsanitized HTML via DataTransfer APIs, which matches Chromium's behavior, and Safari only allows access to unsanitized HTML if it's being read within the same origin.
Comments
N/A
N/A
N/A
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A
No specific DevTools changes are required. This feature is treated like any other JS method.
Shipping on desktop
|
120
|
Shipping on Android
|
120
|
Adoption expectationExcel online is ready to use this API. They are trying to move away from DataTransfer APIs and use Async clipboard APIs where web custom format is supported along with other benefits from async usage.
Adoption plan
Support for async clipboard API and web custom format is already in inner rings, so once this gets added to the clipboard API, Excel would be ready to use it right away.
As the author of the web custom formats article, just for me to better understand: the problem is that the clipboard gets populated with `text/html` by random (web or native) apps. If the clipboard were populated from the start with `web text/html`, the contents could be read unsanitized, even without this new parameter. So this new parameter is the escape hatch that developers can use via `navigator.clipboard.read({unsanitized: ["text/html"]})`.
An immediate question that I ask myself is whether this mechanism could be expanded to other values than just `"text/html"`.
FWIW, this demo was initially a bit misleading, since I expected "some text" to be on the clipboard, or whatever I put into the `contenteditable` box, but it's hardcoded. Maybe remove the box.
This proposal provides an `unsanitized` option in read() method to get the unsanitized HTML format. Unless sites explicitly opt-into reading the unsanitized HTML, they will get the sanitized HTML content by-default. Currently, when we read text/html MIME type using the async API, the sanitizer is invoked to strip out contents from the HTML markup due to security concerns, and styles are inlined into the HTML markup, which leads to a bloated HTML payload and loss of fidelity of HTML content when read by web authors or native apps. Firefox provides access to unsanitized HTML via DataTransfer APIs, which matches Chromium's behavior, and Safari only allows access to unsanitized HTML if it's being read within the same origin.
Comments
N/A
N/A
N/A
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A
No specific DevTools changes are required. This feature is treated like any other JS method.
Shipping on desktop
|
120
|
Shipping on Android
|
120
|
As the author of the web custom formats article, just for me to better understand: the problem is that the clipboard gets populated with `text/html` by random (web or native) apps. If the clipboard were populated from the start with `web text/html`, the contents could be read unsanitized, even without this new parameter. So this new parameter is the escape hatch that developers can use via `navigator.clipboard.read({unsanitized: ["text/html"]})`.So, the problem is that, for sites like Excel Online, they aren't sure where the user is going to paste, so they always have to produce both 'web text/html' and 'text/html'. That way if an app doesn't have support for web custom format, then they can use the native HTML format. Same thing for native apps that produce a web custom format.There are also legacy native apps (old Office versions that are used by Enterprises) that don't have support for the new web custom format, so the site has to produce the standard HTML format for those apps as well.But you are right that if both source and target apps support web custom format, then it can be used to access unsanitized HTML content.
An immediate question that I ask myself is whether this mechanism could be expanded to other values than just `"text/html"`.Currently we are focusing on the standard HTML format to better align with the DataTransfer APIs. In theory you could add support for other built-in formats as well, but the main intent here is to produce similar fidelity of HTML format so sites that use DataTransfer APIs to read HTML do not experience any regression when they move over to async clipboard API for copy-paste operations.
Here is a document where I described the regressions and impact on the apps when sanitization is performed: https://docs.google.com/document/d/1nLny6t3w0u9yxEzusgFJSj-D6DZmDIAzkr1DdgWcZXA/edit?usp=sharing
Some native apps that I surveyed for impact of this new proposal: https://docs.google.com/document/d/1O2vtCS23nB_6aJy7_xcdaWKw7TtqYm0fERzEjtLyv5M/edit?usp=sharing
FWIW, this demo was initially a bit misleading, since I expected "some text" to be on the clipboard, or whatever I put into the `contenteditable` box, but it's hardcoded. Maybe remove the box.
Oops, sorry about that. Copy-paste error 🙂 I fixed it now.
Any answer on the other question regarding what the expected outcome of a call like below would be?
Probably you could even remove the "hello" in `<div id="logDiv">hello</div>` so the DIV is entirely empty to avoid any and all misunderstandings.
Any answer on the other question regarding what the expected outcome of a call like below would be?Currently we're throwing a JS exception if the unsanitized list contains a format other than `text/html`.
In theory we could also add other built-in formats in the future where sanitization is needed by-default on read(), but unsanitized content is returned if the author explicitly opts into it. e.g. For `image/svg+xml`, we could return sanitized content by-default where styles would be inlined and <meta> tags would be stripped out by the sanitizer, but if the authors want unsanitized content, then they can explicitly opt into it by adding this format to the unsanitized list.
Probably you could even remove the "hello" in `<div id="logDiv">hello</div>` so the DIV is entirely empty to avoid any and all misunderstandings.Done.
The code expects `text/html` at the first position of the array, but the explainer says "If text/html representation is present in the ClipboardItem and text/html is present in the unsanitized list", which suggests any position would be fine. Maybe make the explainer say what the code says or vice versa.
You don't often get email from sharma...@google.com.
Learn why this is important
|
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/BY5PR00MB08403037ADC9DD9A11BB4603CFFBA%40BY5PR00MB0840.namprd00.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/DM6PR00MB08481919CE8AB9898AF599CBCFDEA%40DM6PR00MB0848.namprd00.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8SCt5_A4E9Fyu%2B_PeHbE-_vimSx8mZfXQS2F3RW5bg%2BQ%40mail.gmail.com.