Re: Concerns regarding cross-origin copy/paste security

On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <chuck@jumis.com> wrote:

> **
> On 2/2/12 10:27 PM, Ryosuke Niwa wrote:
>
> On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard <chuck@jumis.com>wrote:
>>
>>  Seems like a very minor risk for high security sites, e.g. banking, in
>> identifying form elements.
>> In the spirit of giving it some thought:
>>
>
>  But even for those websites, what could input / textarea elements can
> reveal more than what user sees?
>
> Many sites use <input hidden> elements with what are essentially image
> maps for entering a PIN.
>

But any element with display:none will be removed so <input hidden> should
be removed.

 It's becoming more common that top level domains are being restricted or
> redirected to country codes. It seems plausible that domains may further be
> restricted to HTTPS (SSL) signatures. Going further, sites may be
> restricted to those which serve appropriate security headers against XSS
> attacks. Disabling the "copy" mechanism for any portion of a site does risk
> censorship. But, we are only examining high security portions of high
> security sites, such as <input hidden> and <input type=password>.
>

input[type=password] is a good one. We should probably get rid of the value
in that case?

- Ryosuke

Received on Friday, 3 February 2012 06:49:13 UTC