[w3c/clipboard-apis] Restrict Clipboard API to top-level origin (#106) from Darwin Huang on 2019-11-14 (public-webapps-github@w3.org from November 2019)

From: Darwin Huang <notifications@github.com>
Date: Wed, 13 Nov 2019 17:50:56 -0800
To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/clipboard-apis/issues/106@github.com>

The [Async Clipboard API](https://www.w3.org/TR/clipboard-apis/#async-clipboard-api) doesn't already restrict API use to top-level origins, but other potentially dangerous APIs like [screen share](https://w3c.github.io/mediacapture-screen-share/#feature-policy-integration-0) do. Using a feature policy to restrict usage to top-level origins should help avoid potential permission/data leakages across origins.

Could we please add a Feature Policy to require the Clipboard API to only be accessible to top-level frames, at least unless the owning origin explicitly allows subframes to access this? (An extension from this could be only allowing the top-level origin to access this API, and not allowing sub-frames to access this at all). This change can likely use very similar text as in the screen share spec.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/106

Received on Thursday, 14 November 2019 01:50:58 UTC