Re: safeguarding a live getData() against looping scripts? (was: Re: clipboard events) from Daniel Cheng on 2011-05-17 (public-webapps@w3.org from April to June 2011)

From: Daniel Cheng <dcheng@chromium.org>
Date: Mon, 16 May 2011 23:30:08 -0700
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: public-webapps@w3.org
Message-ID: <BANLkTikxex6hvUGA_f+G8uNbOm24ZO=gHQ@mail.gmail.com>

I believe this problem is solvable without a spec change.

On Windows and Mac, implementations can use a native clipboard sequence
number to determine the contents of the clipboard have changed.

Linux is trickier. There's an X extension called XFixes which provides this
utility, but I don't know how widely installed this extension is. Otherwise,
UAs can probably hack together their own sequence number implementation by
polling the X server about the current selection but it's kind of icky.

Daniel

On Mon, May 16, 2011 at 21:15, Hallvord R. M. Steen <hallvord@opera.com>wrote:

>
>  IMO getData() should be 'live' - i.e. return what's on the clipboard.
>>>
>>
>  I think having it return live data could result in potential security
>> issues. Couldn't a script loop inside the paste event to keep sniffing out
>> live data?
>>
>
> What should we do about this? Should the spec mandate a timeout or a limit
> on how many times a script may call getData() for the same event?
>
> --
> Hallvord R. M. Steen, Core Tester, Opera Software
> http://www.opera.com http://my.opera.com/hallvors/
>

Received on Tuesday, 17 May 2011 06:30:45 UTC