W3C home > Mailing lists > Public > public-webapi@w3.org > March 2006

Re: Safe copy and paste with scripts

From: ROBO Design <robodesign@gmail.com>
Date: Sun, 05 Mar 2006 16:24:37 +0200
To: "Doug Schepers" <doug@schepers.cc>
Cc: "Web APIs Working Group" <public-webapi@w3.org>
Message-ID: <op.s5x2bbk3mapogm@localhost.localdomain>

Le Sun, 05 Mar 2006 14:46:55 +0200, Doug Schepers <doug@schepers.cc> a  
écrit:

> I don't think that the risk of nasty hacks outweighs the utility of
> clipboard access. No doubt some abuse will occur, but I think that the
> easiest way of dealing with all nasty JS abuse is to give users an  
> obvious
> and simple "Disable Script" button that applies to the current tab. That  
> way
> they can, if necessary, copy text, use the context menu, and all the  
> other
> things that malicious control-freaks can dish out.

The usefulness of clipboard access is very important, but security is more  
important.

I'd say the spec must have a requirement for implementors: no matter how,  
but User Agents must be obliged into asking (at least once per domain, per  
page, per script, per whatever) for confirmation from the user "do you  
allow clipboard access from ...?".

Simply allowing access to clipboard data, without confirmation, is by no  
means acceptable. Doing so, has serious privacy implications (think of how  
many users have passwords, credit card numbers, personal data, or whatever  
in clipboard).

There's no need for malicious freaks to do something nasty. I can even add  
to my site right now (if I want) a script to save all clipboard data on my  
server (for IE users). Nobody would know, unless they'd check my scripts.  
That's something every script kiddie would do, just for the "fun" of doing  
it.

Bringing such features to all "web developers" must be done with care, not  
to be hasted.


-- 
http://www.robodesign.ro
ROBO Design - We bring you the future
Received on Sunday, 5 March 2006 14:23:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:53 GMT