W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: Nathan <nathan@webr3.org>
Date: Thu, 03 Jun 2010 17:48:28 +0100
Message-ID: <4C07DCDC.8090005@webr3.org>
To: Tim Berners-Lee <timbl@w3.org>
CC: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>, John Kemp <john@jkemp.net>
Tim Berners-Lee wrote:
> On 2010-06 -02, at 15:58, Nathan wrote:
> 
>> Does this in anyway tie in with what John Kemp is working on with CORS/UMP etc?
>>
>> On reflection it seems a bit odd a spec is being made that allows sites to transfer personal information to each other, but doesn't give any control to the user over what they want to send to those sites.
> 
> Yes. I think it does connect.  The CORS system allows a site to say "When you access this data, we the publishers trust  you to run scripts from xx.yy.com domain on it".   The publisher has control of the fate of the data - sounds reasonable except it ignores the possibility of the user knowing that the scripts are safe.
> 
> In the copy ambush example, I sympathize with Paul Libbrech (and Jonas Sicking ) when he says "...the only way out is to give the user the choice".
> 
> So a user may decide to trust -- well to allow, on balance -- the scripts from a given domain, while they will have advantages and disadvantages.  So the browser has to build up a list of user-trusted script sites?
> 
> Tim

long term I'd love to see signed javascript widgets on the client-side 
(so trust is implicit and opted in to by the user, like when we 
'install' an application).

short term is there really anyway around this? sites could still proxy 
the request, even if not using XHR they could load any remote element 
with GET params in to the DOM and pass info that way..

The only 'real' way I can see to address this, is to get each user to 
verify every single HTTP request after document.onload has fired, in 
combination with CORS on the server side (would still need a UMP style 
'Uniform-Headers' addition though [1]), and perhaps further in 
combination with a trusted domain/script list approach - likelihood of 
that happening..?

[1] http://dev.w3.org/2006/waf/UMP/#response-header-filtering

Best,

Nathan
Received on Thursday, 3 June 2010 16:49:34 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:06 UTC