W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: David Booth <david@dbooth.org>
Date: Mon, 14 Jun 2010 22:37:18 -0400
To: Tim Berners-Lee <timbl@w3.org>
Cc: "L. David Baron" <dbaron@dbaron.org>, "Roy T. Fielding" <fielding@gbiv.com>, ashok.malhotra@oracle.com, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <1276569438.18161.6620.camel@dbooth-laptop>
On Thu, 2010-06-10 at 19:31 +0200, Tim Berners-Lee wrote: 
> On 2010-06 -10, at 02:35, David Booth wrote:
> 
> > On Fri, 2010-06-04 at 19:27 -0700, L. David Baron wrote:
> > [ . . . ]
> >> The ability to manipulate what a user is copying is also important
> >> for applications on the Web.  If you're using a Web app like Google
> >> Docs, you want copy to copy a useful representation, not the
> >> internal representation that the editor uses.  
> > 
> > But it is the *browser* that renders things like HTML, plain text, PDF,
> > etc. -- not javascript.  Why should javascript be given the ability to
> > mess with it *after* the user has selected and told the browser to
> > *copy* it?  
> 
> 
> Well, for example, the Tabulator would want to figure out which
> bit of HTML rendering you had deselected and return as a clipboard 
> option the underlying RDF model data.

But Tabulator is a *browser* -- not a web site.  

So perhaps the question should be rephrased as asking whether a
*website* should be able to control copy and paste, rather than whether
*javascript* should permit it.  Just as some operations are safe and
others are unsafe, and unprivileged websites should not be permitted to
perform unsafe javascript operations, it seems to me that the ability to
mess with the copy buffer should be considered an unsafe (privileged)
javascript function.  

Actually, even the ability of a website to observe copy *events* seems
to me like an invasion of privacy.


-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.
Received on Tuesday, 15 June 2010 02:37:47 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:06 UTC