W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Charles Pritchard <chuck@jumis.com>
Date: Thu, 02 Feb 2012 22:43:30 -0800
Message-ID: <4F2B8212.9040803@jumis.com>
To: Ryosuke Niwa <rniwa@webkit.org>
CC: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
On 2/2/12 10:27 PM, Ryosuke Niwa wrote:
> On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com 
> <mailto:chuck@jumis.com>> wrote:
>
>     Seems like a very minor risk for high security sites, e.g.
>     banking, in identifying form elements.
>     In the spirit of giving it some thought:
>
>
> But even for those websites, what could input / textarea elements can 
> reveal more than what user sees?

Many sites use <input hidden> elements with what are essentially image 
maps for entering a PIN.

In that case, a user does not see the PIN, though they do see an image 
map which has been obscured through various means.

I doubt there are security risks in this area.

>
>     There are various XSS headers that signal enhanced security for
>     websites, even to browser extensions.
>     Perhaps some of them ought to be used in the "copy" mechanism.
>     That way the data never reaches the clipboard for paste.
>
>
> That's also an option and may need to be spec'ed to some extent.

It's the best I have to offer, in hypothesizing how we may address the 
concern.
High security sites use high security headers. If they've opted into 
those headers, we can do a lot to limit data exposure.

There are many sorts of XSS attacks for sites that do not implement 
security headers. We can't help those, there are just too many leaks. 
So, I'd focus on specifying additional clipboard constraints for high 
security sites.

I would put out one word of caution: such restrictions could be used for 
censorship. I don't think we have an option there.

It's becoming more common that top level domains are being restricted or 
redirected to country codes. It seems plausible that domains may further 
be restricted to HTTPS (SSL) signatures. Going further, sites may be 
restricted to those which serve appropriate security headers against XSS 
attacks. Disabling the "copy" mechanism for any portion of a site does 
risk censorship. But, we are only examining high security portions of 
high security sites, such as <input hidden> and <input type=password>.

We're examining those elements for the sake of consumer protection for 
users doing online banking and otherwise cooperating in a secure 
environment for private data. That's a good thing.

-Charles
Received on Friday, 3 February 2012 06:43:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT