- From: James Greene <james.m.greene@gmail.com>
- Date: Wed, 24 Jul 2013 20:11:00 -0500
- To: Hallvord Steen <hsteen@mozilla.com>
- Cc: Paul Libbrecht <paul@hoplahup.net>, public-webapps@w3.org, rohan@github.com
- Message-ID: <CALrbKZjfMG2Ua6=nCN-42ADm=yrOnt8Kae-dbSZ-_f47wDc3AA@mail.gmail.com>
Hallvord — I have also long agreed that clipboard poisoning is rarely that big of an issue so long as we're not enabling programmatic reading of the clipboard during a copy event (which I would agree is completely unnecessary). As you said, since Flash is already an available option to do this today (and can thus only be prevented by disabling Flash, or enforcing specialized clipboard sandboxing at a system level), moving it into the DOM world isn't a big stretch by any means. I also agree that making this ability the default is not unreasonable anymore but I thought that might be a bit of a stretch... happy to see that I am wrong. :) Sincerely, James Greene On Wed, Jul 24, 2013 at 5:34 PM, Hallvord Steen <hsteen@mozilla.com> wrote: > [Replying to Paul's mail but it's really a response to James - sorry, > Paul..] > > On 12 juil. 2013, at 21:57, James Greene wrote: > > > It appears that the only way to trigger a `copy` event programmatically > is to use `document.execCommand('copy')`, which most browsers prevent: > > > http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events > > Correct. > > > What about enabling so enabling semi-restricted programmatic clipboard > injection on a page > > if the user grants their express permission via a once-per-domain > security prompt (similar > > to the Geolocation API)? > > Well, with my spec editor's hat on: Nothing really prevents UAs from > implementing this already. They could hook up document.execCommand('Copy') > to whatever that UA's convention for a security permission prompt is. I'd > like to see this, actually. > > That said, this functionality doesn't really have privacy implications (as > long as it is about programmatically *writing to*, not *reading from* the > clipboard) so it's mostly just about preventing nuisance, plus some > slightly far-fetched security threats (which aren't all that credible if > they are not already exploited with Flash's clipboard implementation). Our > intentions as implementors has sort of moved towards enabling all the cool > stuff apps and sites might do, and away from trying to control nuisance. > It's quite possible to argue that writing to the clipboard should be > enabled by default. > -Hallvord >
Received on Thursday, 25 July 2013 01:11:48 UTC