W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 14 Dec 2009 15:04:10 -0800
Cc: Tyler Close <tyler.close@gmail.com>, Jonathan Rees <jar@creativecommons.org>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-id: <7775F8BE-60EF-4187-85F4-4532990A0819@apple.com>
To: Adam Barth <w3c@adambarth.com>

On Dec 14, 2009, at 2:38 PM, Adam Barth wrote:

> On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close <tyler.close@gmail.com>  
> wrote:
>> For example, the
>> User Consent Phase and Grant Phase above could be replaced by a  
>> single
>> copy-paste operation by the user.
>
> Any design that involves storing confidential information in the
> clipboard is insecure because IE lets arbitrary web sites read the
> user's clipboard.  You can judge that to be a regrettable choice by
> the IE team, but it's just a fact of the world.

Information that's copied and pasted is highly likely to leak in other  
ways than just the IE paste behavior. For example, if it looks like a  
URL, users are likely to think it's a good idea to do things like  
share the URL with their friends, or to post it to a social bookmark  
site, or to Twitter it, or to send it in email. Even if it does not  
look like a URL, users may think they need to save it (likely  
somewhere insecure) so they don't forget.

Regards,
Maciej
Received on Monday, 14 December 2009 23:04:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT