- From: Daniel Appelquist <notifications@github.com>
- Date: Mon, 07 Jun 2021 07:20:29 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 7 June 2021 14:21:50 UTC
@gked > To be clear, it is not just a random site accessing clipboard content. User will need to give clipboard access to the site through permissions API first. I'm not sure I'm convinced that putting something behind a permission by itself is sufficient for something this powerful and potential privacy infringing, especially considering how we have seen egregious gaming of privacy prompts by bad actors (see here: https://github.com/w3ctag/design-reviews/issues/337#issuecomment-561368571). However, adding a user activation requirement and being the active document in focus (as you've described) **may** provide additional mitigation. I put this on the agenda for this week's TAG calls to discuss further. Are the risks and mitigations documented in the appropriate security & privacy considerations section? If so, can you point me that way? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/636#issuecomment-855971033
Received on Monday, 7 June 2021 14:21:50 UTC