W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: Tim Berners-Lee <timbl@w3.org>
Date: Thu, 3 Jun 2010 11:33:10 -0400
Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>, John Kemp <john@jkemp.net>
Message-Id: <D2B26A51-E4EA-461F-BAFD-8A6879CC4E7B@w3.org>
To: nathan@webr3.org

On 2010-06 -02, at 15:58, Nathan wrote:

> Does this in anyway tie in with what John Kemp is working on with CORS/UMP etc?
> 
> On reflection it seems a bit odd a spec is being made that allows sites to transfer personal information to each other, but doesn't give any control to the user over what they want to send to those sites.

Yes. I think it does connect.  The CORS system allows a site to say "When you access this data, we the publishers trust  you to run scripts from xx.yy.com domain on it".   The publisher has control of the fate of the data - sounds reasonable except it ignores the possibility of the user knowing that the scripts are safe.

In the copy ambush example, I sympathize with Paul Libbrech (and Jonas Sicking ) when he says "...the only way out is to give the user the choice".

So a user may decide to trust -- well to allow, on balance -- the scripts from a given domain, while they will have advantages and disadvantages.  So the browser has to build up a list of user-trusted script sites?

Tim
Received on Thursday, 3 June 2010 15:33:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:06 UTC