- From: <bugzilla@jessica.w3.org>
- Date: Fri, 13 Sep 2013 09:08:46 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=23235
Bug ID: 23235
Summary: enable clipboard usage from certain trusted
event-triggered script by default
Product: WebAppsWG
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Clipboard API and events
Assignee: hsteen@mozilla.com
Reporter: hsteen@mozilla.com
QA Contact: public-webapps-bugzilla@w3.org
CC: mike@w3.org
Per discussion at
http://lists.w3.org/Archives/Public/public-webapps/2013JulSep/0061.html and
onwards, we should allow script treads triggered from a white-list of trusted
events to use document.execCommand('copy|cut|paste').
(White-listing is required to avoid allowing reading clipboard data from
mousemove and similar events.)
Suggested white-list:
keydown
keypress
keyup
click
dblclick
This presumably gives us feature parity with the Flash player.
Trust settings or similar configuration should be available to override this
requirement and enable event-less polling of or writing to the clipboard, but
this is up to UAs.
(The security policy might also choose to distinguish the more dangerous
document.execCommand('paste') from the others. Preventing copy/cut are more
about avoiding nuisance, while preventing paste is an essential privacy
measure. At the time of writing, I don't remember how implementations currently
do this.)
Finally, for obvious reasons this bug may have to be fixed in an editing API
spec, not in Clipboard Events.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Friday, 13 September 2013 09:08:51 UTC