- From: Sangeeth Sudheer <notifications@github.com>
- Date: Fri, 17 Dec 2021 04:47:34 -0800
- To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/clipboard-apis/issues/154/996696422@github.com>
> If this is solely about providing this `sensitive` flag to the underlying operating system, so that other applications (e.g., cloud sync) can choose not to store them, then I think it's not a bad idea. Yes, this was my intention. Passwords, API keys and anything that I as a developer firmly believe shouldn't go into a "Clipboard History" application, OS-provided or built-in can respect such a flag. Or, the browser can (if possible), signal this intention. Ideally, would prefer any such application could choose this for themselves. Plus, it could be a configurable option for these Clipboard managers whether to keep sensitive info in history or not. It's useful sometimes to copy these across devices but I understand that could pose a security risk too. > Do I also correctly understand that the browser wouldn't behave differently when *reading* a sensitive ClipboardItems, i.e., web sites would be able to have the same discretion for sensitive items? This is interesting. It could be helpful maybe to prevent accidentally sending a sensitive information in say a public forum. Websites could alert the user about it. Not entirely sure about the security implications besides a bad actor finding it easy to filter for these specific items. > ...An evil web page that is trying to paste indefinitely in the hope of scraping some passwords from the clipboard. Paste events don't need a user action to work? 🤔 -- Reply to this email directly or view it on GitHub: https://github.com/w3c/clipboard-apis/issues/154#issuecomment-996696422 You are receiving this because you are subscribed to this thread. Message ID: <w3c/clipboard-apis/issues/154/996696422@github.com>
Received on Friday, 17 December 2021 12:47:46 UTC