W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: Nathan <nathan@webr3.org>
Date: Thu, 03 Jun 2010 19:29:37 +0100
Message-ID: <4C07F491.4000508@webr3.org>
To: John Kemp <john@jkemp.net>
CC: Tim Berners-Lee <timbl@w3.org>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
John Kemp wrote:
> On Jun 3, 2010, at 12:48 PM, Nathan wrote:
> 
>> long term I'd love to see signed javascript widgets on the client-side (so trust is implicit and opted in to by the user, like when we 'install' an application).
> 
> I don't think that signing the widget (and corresponding signature verification by the widget installer) implies any _real_ trust between the user (who is simply clicking a button saying "install this app from XX, yes or no?") and the widget. 
> 
> In the best case, the signature was made by a company whose brand the user trusts, and the widget application code was verified reasonably well enough as to be thought of by the signer as "unlikely to be malicious". 

I'd argue the best case is that the code can't run unbeknown to me, 
without at least some action on my part first - implicit trust may have 
been a bit strong to be fair, but there is some kind of expectation of 
trust, some notion of accountability, all of which are far better than 
the current 'code just runs regardless' situation we have now.

>> short term is there really anyway around this? sites could still proxy the request, even if not using XHR they could load any remote element with GET params in to the DOM and pass info that way..
>>
>> The only 'real' way I can see to address this, is to get each user to verify every single HTTP request after document.onload has fired, in combination with CORS on the server side (would still need a UMP style 'Uniform-Headers' addition though [1]), and perhaps further in combination with a trusted domain/script list approach - likelihood of that happening..?
> 
> Why should someone trust a domain at all?

no reason why anybody should of course, yet I personally do trust my own 
domains, most of my clients and friends, and some larger entities like 
w3.org. In a scenario like the above I'd really appreciate the ability 
to turn of that 'do you want to' nag screen for these domains :)

Many Regards,

Nathan

> The point of UMP, I think, is to make the decision as to whether to authorize a request be based on specific agreement between the requesting site and the recipient, and a specific agreement between the user and the recipient, and to decouple these agreements from one another.
> 
> This makes it more difficult for such a decision to be made implicitly, based on automated actions by a piece of software which is merely acting as an agent of another piece of software in making the request. 
> 
> Regards,
> 
> - johnk
> 
>> [1] http://dev.w3.org/2006/waf/UMP/#response-header-filtering
>>
>> Best,
>>
>> Nathan
>>
>>
>>
> 
> 
> 
Received on Thursday, 3 June 2010 18:30:43 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:06 UTC