W3C home > Mailing lists > Public > public-webapi@w3.org > March 2006

RE: Safe copy and paste with scripts

From: Doug Schepers <doug@schepers.cc>
Date: Sun, 5 Mar 2006 14:45:58 +0100
To: "'Web APIs WG'" <public-webapi@w3.org>
Message-Id: <20060305134556.E6AF8195516@plunder.dreamhost.com>

Hi, Jim-

I think you raise excellent points. I'll reply inline.

Jim Ley wrote:
|
| The bigger problem is not cancelling it's changing - so you 
| go to copy a url into an email message, and a different link 
| ends up on the clipboard. 

While this is tricksy and suboptimal, I don't see it as a genuine security
concern, merely an annoyance. But I am willing to be educated as to the
danger of it.

In any case, it might be nice if the user were alerted in some way that a
"copy" event has been triggered/changed, and I recommend that we include
wording to this effect in an informative description.


| Or if you simply happen to be on a page and the browser can look at 
| what is in your clipboard, even if it's your untrusted data,
| yet allowing access to the content when you do want to give your
| clipboard contents.

I think this is best solved by simply not allowing script to have access to
the clipboard buffer unless the user specifically fires a paste event.
Therefore, "paste" events should not work with createEvent().

What other security concerns do people see?

Regards-
Doug

doug.schepers@vectoreal.com
www.vectoreal.com ...for scalable solutions.
Received on Sunday, 5 March 2006 13:46:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:53 GMT