// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module blink.mojom;
import "mojo/public/mojom/base/big_buffer.mojom";
import "mojo/public/mojom/base/big_string.mojom";
import "mojo/public/mojom/base/string16.mojom";
import "skia/public/mojom/bitmap.mojom";
import "third_party/blink/public/mojom/data_transfer/data_transfer.mojom";
import "third_party/blink/public/mojom/tokens/tokens.mojom";
import "url/mojom/url.mojom";
enum ClipboardFormat {
kPlaintext,
kHtml,
kSmartPaste,
kBookmark,
};
enum ClipboardBuffer {
kStandard,
// Used on platforms like the X Window System that treat selection
// as a type of clipboard.
// TODO(crbug.com/676224): When preprocessing of mojom is available only
// define this value for EnableIf=use_ozone.
kSelection,
};
struct ClipboardFiles {
// Files on the system clipboard.
array<DataTransferFile> files;
// Isolated file system ID for the files.
string? file_system_id;
};
// Implemented by the browser to allow the renderer to use the system clipboard.
// Individual operations are atomic, but successive operations are not.
// Therefore, it's possible that one may see text available from
// ReadAvailableTypes(), but that a subsequent ReadText() may then fail.
//
// Security and Privacy Model:
// Native: Operating systems (OS's) generally provide clipboard access as-is to
// native applications (including Chrome), trusting that users who install these
// applications trust the apps' clipboard use to be safe. This means both
// formats and payloads read/written by native applications are used by OS's
// as-is. Native applications also often trust other native applications
// in this manner, and may have existing vulnerabilities that untrusted content
// (ex. from the web) could potentially exploit.
//
// Web: As browsers and users view web content as untrusted by default, the
// browser must limit and secure web content from interaction with the OS, that
// has a more trusted security model, and vice versa.
//
// Security: Content written to the clipboard should generally be sanitized
// to protect insecure / out-of-date decoders in native applications from
// malicious, untrusted, web-originated content. For example, PNG images should
// be sanitized due to PNG vulnerabilities that may exist in native decoders.
// Native applications tend to not be sandboxed, have lower update rates, and
// have higher levels of system permissions than web applications, so failure
// to properly sanitize may lead to sandbox escapes and remote code execution.
//
// Privacy: Content read from the clipboard should generally sanitize any
// content that users may not reasonably expect to be on their clipboard.
// Failure to do so may lead to users leaking sensitive information,
// that may for example be held in metadata.
interface ClipboardHost {
// Conservative limits to maximum format name and data sizes, to avoid
// potential attacks with long strings. These limits are only applied to
// unsanitized custom formats. The size limit includes the null terminator.
const uint32 kMaxFormatSize = 1024;
const uint32 kMaxDataSize = 1073741824; // 1 GB, or 1 << 30
// Returns a token which uniquely identifies clipboard state.
// This can be used to version the data on the clipboard and determine
// whether it has changed.
[Sync]
GetSequenceNumber(ClipboardBuffer buffer) =>
(blink.mojom.ClipboardSequenceNumberToken result);
[Sync]
IsFormatAvailable(ClipboardFormat format,
ClipboardBuffer buffer) => (bool result);
// Reads sanitized platform-neutral types.
[Sync]
ReadAvailableTypes(ClipboardBuffer buffer) =>
(array<mojo_base.mojom.String16> types);
[Sync]
ReadText(ClipboardBuffer buffer) => (mojo_base.mojom.BigString16 result);
[Sync]
ReadHtml(ClipboardBuffer buffer) => (mojo_base.mojom.BigString16 markup,
url.mojom.Url url,
uint32 fragment_start,
uint32 fragment_end);
// Read SVG from the OS clipboard.
ReadSvg(ClipboardBuffer buffer) => (mojo_base.mojom.BigString16 result);
[Sync]
ReadRtf(ClipboardBuffer buffer) => (mojo_base.mojom.BigString result);
// Read an image from the OS clipboard, returning the PNG-encoded bytes if
// there is an image, or an empty buffer otherwise.
[Sync]
ReadPng(ClipboardBuffer buffer) => (mojo_base.mojom.BigBuffer png);
// Read Files from clipboard. Called on paste event to provide
// clipboardData.files.
// Security notes:
// 1. This function must only be used with user activation, similar to drag
// and drop.
// 2. We do not allow/implement WriteFiles(). Any such future function must
// ensure that renderers cannot place arbitrary paths on the clipboard,
// and then read them via ReadFiles().
[Sync]
ReadFiles(ClipboardBuffer buffer) => (ClipboardFiles result);
[Sync]
ReadDataTransferCustomData(ClipboardBuffer buffer, mojo_base.mojom.String16 type) =>
(mojo_base.mojom.BigString16 result);
// Reads both unsanitized custom formats & standard
// formats(such as text/html).
// `format_types` contains the list of all available custom & standard
// formats.
[Sync]
ReadAvailableCustomAndStandardFormats() =>
(array<mojo_base.mojom.String16> format_types);
// Reads an unsanitized custom format from the clipboard. This is currently
// only used in async clipboard API.
// `format` contains the custom format name.
// Returns the data from the clipboard corresponding to the `format`.
// Returns empty `data` if the `format` is not available in the clipboard.
ReadUnsanitizedCustomFormat(mojo_base.mojom.String16 format) =>
(mojo_base.mojom.BigBuffer data);
// Writing to the clipboard via mojo is a two-phase operation. First, the
// sender sends the different types of data it'd like to write to the
// receiver. Then, it sends a commit message to commit the data to the system
// clipboard.
WriteText(mojo_base.mojom.BigString16 text);
WriteHtml(mojo_base.mojom.BigString16 markup, url.mojom.Url url);
// Takes sanitized SVG in a UTF16 string format and writes it to the
// OS clipboard.
WriteSvg(mojo_base.mojom.BigString16 markup);
WriteSmartPasteMarker();
// Chromium-specific DataTransfer custom data.
WriteDataTransferCustomData(map<mojo_base.mojom.String16, mojo_base.mojom.BigString16> data);
// TODO(dcheng): The |url| parameter should really be a GURL, but <canvas>'s
// copy as image tries to set very long data: URLs on the clipboard. Using
// GURL causes the browser to kill the renderer for sending a bad IPC (GURLs
// bigger than 2 megabytes are considered to be bad). https://crbug.com/459822
WriteBookmark(string url,
mojo_base.mojom.String16 title);
WriteImage(skia.mojom.BitmapN32 image);
// Writes an unsanitized custom format to the clipboard.
// `format` contains the name of the custom format and `data` contains the
// unsanitized payload provided by the web authors.
// There can only be 100 custom formats per write operation and it will be
// registered when the web authors request for a custom format.
WriteUnsanitizedCustomFormat(mojo_base.mojom.String16 format,
mojo_base.mojom.BigBuffer data);
CommitWrite();
[EnableIf=is_mac]
WriteStringToFindPboard(mojo_base.mojom.String16 text);
};
Codebase Browser
chromium