W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: risks of custom clipboard types

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Tue, 17 May 2011 11:05:53 -0700
Message-ID: <BANLkTimi4Nk013H0Kqph8kAjZfkEDdWWTA@mail.gmail.com>
To: Paul Libbrecht <paul@hoplahup.net>
Cc: Daniel Cheng <dcheng@chromium.org>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
Ryosuke Niwa
Software Engineer
Google Inc.




On Tue, May 17, 2011 at 10:48 AM, Paul Libbrecht <paul@hoplahup.net> wrote:
>
>  This was certainly at least copied in plain-text as well, or?
>> The risk is here today then already, correct? (even with traditional forms
>> and a quick onchange that makes it invisible).
>>
>
> It is not because Chromium specifically clears the plain text type if it
> detects a file drag.
>
>
> So file-flavour is something special that should be always filtered??
> (in DnD or in CnP), which should be warned against in the spec?
>
> Ryosuke, can you confirm this is the only risk you were talking about?
>

No.  There are some applications that embed sensitive information such as
local file path and user name inside a content put into clipboard without
notifying the user.  As far as I'm concerned, giving websites access to such
information is not acceptable.

- Ryosuke
Received on Tuesday, 17 May 2011 18:06:41 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT