W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: risks of custom clipboard types

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 17 May 2011 18:50:30 +0200
Cc: public-webapps@w3.org
Message-Id: <70FDA1DD-66B8-44F0-94C5-D57EAB9662EF@hoplahup.net>
To: Boris Zbarsky <bzbarsky@MIT.EDU>

Le 17 mai 2011 à 18:39, Boris Zbarsky a écrit :
>> On my mac, as far as I know, this can only happen if I copied the the
>> file explicitly (as a file, not as a content). Pasting in some web-page
>> means I want to transmit the information of the clipboard to the page.
> You want to transmit the file contents.  You don't want to transmit the location of the file on your disk.  Certainly most users don't.
> To be clear, we (Mozilla) would consider this an unacceptable privacy breach.  This is why we (and other browsers) don't send the full path for file inputs too... this case is no different.

So you (Mozilla) would not accept to include URL-list as acceptable flavor to be read from the clipboard at paste time if that URL-list contains file URLs. Correct?

Ryosuke, do you see other possible flavor exploits with local-paths?
(you seemed to have something more precise in mind)

paul
Received on Tuesday, 17 May 2011 16:50:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT