RE: No clipboard access (was Re: Safe copy and paste with scripts) from Doug Schepers on 2006-03-06 (public-webapi@w3.org from March 2006)

From: Doug Schepers <doug.schepers@vectoreal.com>
Date: Mon, 6 Mar 2006 05:48:40 -0500
To: <public-webapi@w3.org>
Message-Id: <20060306104838.692AF5FD49@filch.dreamhost.com>

Hi, Paul-

Paul Libbrecht wrote:
| 
| Can we place state this once and for all: there is no question of 
| clipboard access the way MSIE gives it hence there is no 
| security issue by "giving access to clipboard" to scripts.

That is not yet completely settled, but I generally agree. I do have one use
case that I think is perfectly valid, however, and would like feedback on
it.


| What I, and Maciej, have been proposing is a "passive" clipboard-data 
| recipient and provider which is triggered by *standard gestures*.
| (using an "onPaste(transferData".)" and "onCopy() -> 
| transferData" which could, almost right away, also apply for
drag-and-drop)

The case for pasting, and existing clipboard content, is clear. Only a
user-initiated event can send data to the DOM. Period. End of story, end of
risk. I see no use case for allowing the DOM to actively access clipboard
content.

I also agree that this will cover most aspects of d-n-d. Chaals and I are
glacially working on that Spec, but we will submit it soon.

However, there is the matter of copying data by an action other than a
keyboard or menu selection, or drag operation. I have often had a button
that let users copy certain content to the clipboard, and I would want that
facility here. Moreover, it can't be a special widget like "File Upload",
since I will want to do it in SVG as well. So, one solution I see is to have
2 trust-levels: 1 where the user initiates a OS-level copy event, which is
done seamlessly, and one where another user action (a click, a mouseup, a
mouseover, but never a generated event) triggers a copying event, where the
user is probably asked for verification.

I think that Load-n-Save is also a related issue, and that does seem like an
appropriate place to talk about URI-based sandboxes. Drag-n-drop is another
issue, and has cross-document implications. We should have a consistent
model across all these areas, and apply least-privilege only where we
absolutely need to.


| Can we please hear security freaks about the dangers of that and not 
| "giving access to clipboard" ???

I don't personally see any significant security risks to any of the
"passive" copy-n-paste events.


p.s. I'd rather not get copied on an email sent to a list I read anyway. Is
there some way to set up the W3C mailer so that "reply" goes to the list,
not the poster?

Regards-
Doug

doug.schepers@vectoreal.com
www.vectoreal.com ...for scalable solutions.

Received on Monday, 6 March 2006 10:48:48 UTC