- From: Doug Schepers <doug@schepers.cc>
- Date: Sun, 5 Mar 2006 14:45:58 +0100
- To: "'Web APIs WG'" <public-webapi@w3.org>
Hi, Jim- I think you raise excellent points. I'll reply inline. Jim Ley wrote: | | The bigger problem is not cancelling it's changing - so you | go to copy a url into an email message, and a different link | ends up on the clipboard. While this is tricksy and suboptimal, I don't see it as a genuine security concern, merely an annoyance. But I am willing to be educated as to the danger of it. In any case, it might be nice if the user were alerted in some way that a "copy" event has been triggered/changed, and I recommend that we include wording to this effect in an informative description. | Or if you simply happen to be on a page and the browser can look at | what is in your clipboard, even if it's your untrusted data, | yet allowing access to the content when you do want to give your | clipboard contents. I think this is best solved by simply not allowing script to have access to the clipboard buffer unless the user specifically fires a paste event. Therefore, "paste" events should not work with createEvent(). What other security concerns do people see? Regards- Doug doug.schepers@vectoreal.com www.vectoreal.com ...for scalable solutions.
Received on Sunday, 5 March 2006 13:46:22 UTC