W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 15 Dec 2009 10:12:40 -0800
Message-ID: <5691356f0912151012u7efcb516p8c72bc1fcd75bf3d@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Jonathan Rees <jar@creativecommons.org>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 4:26 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>> For example, the
>>> User Consent Phase and Grant Phase above could be replaced by a single
>>> copy-paste operation by the user.
>>
>> Any design that involves storing confidential information in the
>> clipboard is insecure because IE lets arbitrary web sites read the
>> user's clipboard.  You can judge that to be a regrettable choice by
>> the IE team, but it's just a fact of the world.
>
> And so we use the alternate, no-copy-paste design on IE while waiting
> for a better world; one in which users can safely copy data between
> web pages.

Just so that everyone knows, IE has changed this policy, so it's not a
situation where we'll be waiting forever. See:

http://msdn.microsoft.com/en-us/library/bb250473(VS.85).aspx

Adam, were you aware of this policy change?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 15 December 2009 18:13:17 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT