[w3c/clipboard-apis] User gesture requirement for Clipboard API access (#52) from Gary Kacmarcik on 2017-09-12 (public-webapps-github@w3.org from September 2017)

From: Gary Kacmarcik <notifications@github.com>
Date: Tue, 12 Sep 2017 20:30:05 +0000 (UTC)
To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/clipboard-apis/issues/52@github.com>

We need to document how we want to handle the (current) User Gesture requirement once we have proper Permissions in place.

User gestures were put in place to help reduce drive-by API abuse since we didn't have a Permission mechanism in place. Now that we have Permissions, we could remove the gesture requirement, but some UAs may want to keep the gesture requirement so that they can auto-grant some access to the clipboard without requiring a Permission prompt.

If we want to include this explicitly in the spec, here is an initial proposal:
- Write: Gesture required for clipboard write UNLESS `fullAccess` Permission has already been granted
   - This is because the `fullAccess` permission is stronger than the basic permission
   - If basic `{ clipboard }` permission is DENIED, then write will not work (even with a gesture)
- Read: Since clipboard read is more dangerous, require `{ clipboard fullAccess=true }` Permission
   - Note: built-in (UA or OS-level) "paste" buttons may only require a user-gesture


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/52

Received on Tuesday, 12 September 2017 20:30:58 UTC