W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Thu, 2 Feb 2012 22:48:26 -0800
Message-ID: <CABNRm62LTLh2iwRbzLZ3gPJH71rTQtRWi_Q+sT2x=FbMCYRt3g@mail.gmail.com>
To: Charles Pritchard <chuck@jumis.com>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <chuck@jumis.com> wrote:

> **
> On 2/2/12 10:27 PM, Ryosuke Niwa wrote:
>
> On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com>wrote:
>>
>>  Seems like a very minor risk for high security sites, e.g. banking, in
>> identifying form elements.
>> In the spirit of giving it some thought:
>>
>
>  But even for those websites, what could input / textarea elements can
> reveal more than what user sees?
>
> Many sites use <input hidden> elements with what are essentially image
> maps for entering a PIN.
>

But any element with display:none will be removed so <input hidden> should
be removed.

 It's becoming more common that top level domains are being restricted or
> redirected to country codes. It seems plausible that domains may further be
> restricted to HTTPS (SSL) signatures. Going further, sites may be
> restricted to those which serve appropriate security headers against XSS
> attacks. Disabling the "copy" mechanism for any portion of a site does risk
> censorship. But, we are only examining high security portions of high
> security sites, such as <input hidden> and <input type=password>.
>

input[type=password] is a good one. We should probably get rid of the value
in that case?

- Ryosuke
Received on Friday, 3 February 2012 06:49:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT