Re: [w3c/clipboard-apis] Clipboard Permission (#51) from Rob Wu on 2017-09-15 (public-webapps-github@w3.org from September 2017)

From: Rob Wu <notifications@github.com>
Date: Fri, 15 Sep 2017 02:32:20 -0700
To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/clipboard-apis/issues/51/329731738@github.com>

Just to clarify, "Mozilla's permissions" as mentioned above are NOT web-exposed.
They are only in extensions, and largely based on the usage in Chrome extensions. In practice, Google Chrome's extensions can write without any permissions (for back-compat because of an earlier mistake to not constrain it, https://chromium.googlesource.com/chromium/src/+/3a3410e0eb66727afa4f2557954ecfbd9b230c83/chrome/test/data/extensions/api_test/clipboard/extension_no_permission/test.js#40) and only read with the clipboardRead permission. In contrast, Firefox enforces clipboardWrite and clipboardRead separately.

Reading is certainly powerful (passwords on clipboard), but writing should not underestimated either. E.g. if someone is known for the habit of pasting commands in a shell, then the ability to silently write to the clipboard can have undesired consequences. Succinctly, the capabilities of the clipboard are:

read - protects the confidentiality of the clipboard content
write - protects the integrity of the clipboard content

Both goals can independently be desirable to the user (and [the permisisons registry](https://w3c.github.io/permissions/#permission-registry) does not have any examples of permissions with read/write flags, so we're going to be the first).

---

The example cited as "less obvious" seems obvious to me:

>write:true, read:true > write:false, read:false
write:true, read:true > write:true, read:false
write:true, read:true > write:false, read:true
but...
write:false, read:true ??? write:true, read:false
write:true, read:false ??? write:false, read:true

In the above example, "???" means "not stronger", i.e. ask for permission. If the application intended to use both permissions, then it should not have downgraded its permissions to avoid addiitonal permission prompts.

---

An alternative to avoid the non-sensical `write:false, read:false` combination is to use something like:

clipboard access=full | read | write

The hierarchy is a diamond:

full (read+write)
/ \
write read
\ /
denied

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/51#issuecomment-329731738

Received on Friday, 15 September 2017 09:32:42 UTC