- From: ROBO Design <robodesign@gmail.com>
- Date: Sun, 05 Mar 2006 16:24:37 +0200
- To: "Doug Schepers" <doug@schepers.cc>
- Cc: "Web APIs Working Group" <public-webapi@w3.org>
Le Sun, 05 Mar 2006 14:46:55 +0200, Doug Schepers <doug@schepers.cc> a écrit: > I don't think that the risk of nasty hacks outweighs the utility of > clipboard access. No doubt some abuse will occur, but I think that the > easiest way of dealing with all nasty JS abuse is to give users an > obvious > and simple "Disable Script" button that applies to the current tab. That > way > they can, if necessary, copy text, use the context menu, and all the > other > things that malicious control-freaks can dish out. The usefulness of clipboard access is very important, but security is more important. I'd say the spec must have a requirement for implementors: no matter how, but User Agents must be obliged into asking (at least once per domain, per page, per script, per whatever) for confirmation from the user "do you allow clipboard access from ...?". Simply allowing access to clipboard data, without confirmation, is by no means acceptable. Doing so, has serious privacy implications (think of how many users have passwords, credit card numbers, personal data, or whatever in clipboard). There's no need for malicious freaks to do something nasty. I can even add to my site right now (if I want) a script to save all clipboard data on my server (for IE users). Nobody would know, unless they'd check my scripts. That's something every script kiddie would do, just for the "fun" of doing it. Bringing such features to all "web developers" must be done with care, not to be hasted. -- http://www.robodesign.ro ROBO Design - We bring you the future
Received on Sunday, 5 March 2006 14:23:58 UTC