- From: <bugzilla@jessica.w3.org>
- Date: Fri, 13 Sep 2013 09:08:46 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=23235 Bug ID: 23235 Summary: enable clipboard usage from certain trusted event-triggered script by default Product: WebAppsWG Version: unspecified Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Clipboard API and events Assignee: hsteen@mozilla.com Reporter: hsteen@mozilla.com QA Contact: public-webapps-bugzilla@w3.org CC: mike@w3.org Per discussion at http://lists.w3.org/Archives/Public/public-webapps/2013JulSep/0061.html and onwards, we should allow script treads triggered from a white-list of trusted events to use document.execCommand('copy|cut|paste'). (White-listing is required to avoid allowing reading clipboard data from mousemove and similar events.) Suggested white-list: keydown keypress keyup click dblclick This presumably gives us feature parity with the Flash player. Trust settings or similar configuration should be available to override this requirement and enable event-less polling of or writing to the clipboard, but this is up to UAs. (The security policy might also choose to distinguish the more dangerous document.execCommand('paste') from the others. Preventing copy/cut are more about avoiding nuisance, while preventing paste is an essential privacy measure. At the time of writing, I don't remember how implementations currently do this.) Finally, for obvious reasons this bug may have to be fixed in an editing API spec, not in Clipboard Events. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Friday, 13 September 2013 09:08:51 UTC