Re: risks of custom clipboard types

Ryosuke Niwa
Software Engineer
Google Inc.




On Tue, May 17, 2011 at 10:48 AM, Paul Libbrecht <paul@hoplahup.net> wrote:
>
>  This was certainly at least copied in plain-text as well, or?
>> The risk is here today then already, correct? (even with traditional forms
>> and a quick onchange that makes it invisible).
>>
>
> It is not because Chromium specifically clears the plain text type if it
> detects a file drag.
>
>
> So file-flavour is something special that should be always filtered??
> (in DnD or in CnP), which should be warned against in the spec?
>
> Ryosuke, can you confirm this is the only risk you were talking about?
>

No.  There are some applications that embed sensitive information such as
local file path and user name inside a content put into clipboard without
notifying the user.  As far as I'm concerned, giving websites access to such
information is not acceptable.

- Ryosuke

Received on Tuesday, 17 May 2011 18:06:41 UTC