- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 14 Dec 2009 16:26:33 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, Jonathan Rees <jar@creativecommons.org>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close <tyler.close@gmail.com> wrote: >> For example, the >> User Consent Phase and Grant Phase above could be replaced by a single >> copy-paste operation by the user. > > Any design that involves storing confidential information in the > clipboard is insecure because IE lets arbitrary web sites read the > user's clipboard. You can judge that to be a regrettable choice by > the IE team, but it's just a fact of the world. And so we use the alternate, no-copy-paste design on IE while waiting for a better world; one in which users can safely copy data between web pages. I imagine many passwords and other PII are made vulnerable by IE's clipboard policy. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 15 December 2009 00:27:07 UTC