W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Concerns regarding cross-origin copy/paste security

From: Charles Pritchard <chuck@jumis.com>
Date: Sat, 04 Feb 2012 15:01:21 -0800
Message-ID: <4F2DB8C1.6070400@jumis.com>
To: Ryosuke Niwa <rniwa@webkit.org>
CC: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
On 2/2/2012 10:48 PM, Ryosuke Niwa wrote:
> On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <chuck@jumis.com 
> <mailto:chuck@jumis.com>> wrote:
>
>     On 2/2/12 10:27 PM, Ryosuke Niwa wrote:
>>     On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard
>>     <chuck@jumis.com <mailto:chuck@jumis.com>> wrote:
>>
>>         Seems like a very minor risk for high security sites, e.g.
>>         banking, in identifying form elements.
>>         In the spirit of giving it some thought:
>>
>>
>>     But even for those websites, what could input / textarea elements
>>     can reveal more than what user sees?
>     Many sites use <input hidden> elements with what are essentially
>     image maps for entering a PIN.
>
>
> But any element with display:none will be removed so <input hidden> 
> should be removed.
>
>     It's becoming more common that top level domains are being
>     restricted or redirected to country codes. It seems plausible that
>     domains may further be restricted to HTTPS (SSL) signatures. Going
>     further, sites may be restricted to those which serve appropriate
>     security headers against XSS attacks. Disabling the "copy"
>     mechanism for any portion of a site does risk censorship. But, we
>     are only examining high security portions of high security sites,
>     such as <input hidden> and <input type=password>.
>
>
> input[type=password] is a good one. We should probably get rid of the 
> value in that case?

Yes, I think so. I'm working on an application in which I do a lot of 
copy and paste work. I'll let you know if I come across anything I think 
should change.

-Charles
Received on Saturday, 4 February 2012 23:01:49 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT