W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Thu, 2 Feb 2012 22:27:54 -0800
Message-ID: <CABNRm60m_hu7fEpbgV9832Bdt4mom=EibMePArhTQAF_Pz1=Bw@mail.gmail.com>
To: Charles Pritchard <chuck@jumis.com>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com> wrote:
>
>  Seems like a very minor risk for high security sites, e.g. banking, in
> identifying form elements.
> In the spirit of giving it some thought:
>

But even for those websites, what could input / textarea elements can
reveal more than what user sees?

 There are various XSS headers that signal enhanced security for websites,
> even to browser extensions.
> Perhaps some of them ought to be used in the "copy" mechanism. That way
> the data never reaches the clipboard for paste.
>

That's also an option and may need to be spec'ed to some extent.

- Ryosuke
Received on Friday, 3 February 2012 06:28:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT