Re: risks of custom clipboard types from Paul Libbrecht on 2011-05-17 (public-webapps@w3.org from April to June 2011)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Tue, 17 May 2011 20:08:15 +0200
To: Ryosuke Niwa <rniwa@webkit.org>
Cc: Daniel Cheng <dcheng@chromium.org>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
Message-Id: <2B3B0792-5A94-4C74-B951-67D8C48F17E1@hoplahup.net>

Le 17 mai 2011 à 20:05, Ryosuke Niwa a écrit :

> So file-flavour is something special that should be always filtered??
> (in DnD or in CnP), which should be warned against in the spec?
> 
> Ryosuke, can you confirm this is the only risk you were talking about?
> 
> No.  There are some applications that embed sensitive information such as local file path and user name inside a content put into clipboard without notifying the user.  As far as I'm concerned, giving websites access to such information is not acceptable.
> 

Please be more precise with "some applications".

There could be some applications that put the email of the user (or the sender of the mail being read) in the plain text variant without the user knowing!

paul

Received on Tuesday, 17 May 2011 18:08:48 UTC