Re: Concerns regarding cross-origin copy/paste security from Ryosuke Niwa on 2012-02-03 (public-webapps@w3.org from January to March 2012)

From: Ryosuke Niwa <rniwa@webkit.org>
Date: Thu, 2 Feb 2012 22:27:54 -0800
To: Charles Pritchard <chuck@jumis.com>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps <public-webapps@w3.org>, Daniel Cheng <dcheng@chromium.org>
Message-ID: <CABNRm60m_hu7fEpbgV9832Bdt4mom=EibMePArhTQAF_Pz1=Bw@mail.gmail.com>

On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com> wrote:
>
>  Seems like a very minor risk for high security sites, e.g. banking, in
> identifying form elements.
> In the spirit of giving it some thought:
>

But even for those websites, what could input / textarea elements can
reveal more than what user sees?

 There are various XSS headers that signal enhanced security for websites,
> even to browser extensions.
> Perhaps some of them ought to be used in the "copy" mechanism. That way
> the data never reaches the clipboard for paste.
>

That's also an option and may need to be spec'ed to some extent.

- Ryosuke

Received on Friday, 3 February 2012 06:28:42 UTC