- From: Jeffrey Walton <noloader@gmail.com>
- Date: Sat, 26 Jul 2014 10:09:02 -0400
- To: Perry Smith <pedzsan@gmail.com>
- Cc: public-webapps@w3.org
On Sat, Jul 26, 2014 at 9:34 AM, Perry Smith <pedzsan@gmail.com> wrote: > > On Jul 26, 2014, at 8:26 AM, Jeffrey Walton <noloader@gmail.com> wrote: > >> On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith <pedzsan@gmail.com> wrote: >>> Sorry if this is a lame question but I never understood the dangers of Copy and Paste that the web is trying to avoid. Can someone explain that to me? >>> >> Its a point of data egress. You don't want sensitive information from >> one program scraped and egressed by another. >> >> The first program could be a browser and the second program could be >> malware. In this case, the malware looks for data placed on the >> clipboard by the browser (and hopes to get a username, password, >> sensitive document, etc). >> >> Or, it could be another program with the browser scraping the data and >> hauling it off to a site. > > I thought about that. So it is not so much the Copy and Paste operations as much as being able to get the content of the clipboard. ? > Yes, I believe so. The clipboard is a shared resource with little to no restrictions. One of the check boxes on a security evaluation is how a program handles the clipboard and copy/paste (or at least the ones I used when doing security architecture work). Its one of those dataflows that could be part of a higher then expected data sensitivity, like a single sign-on password. Also, "data egress" may have been a bad choice. In this case, I think its more about "data collection". Its hard to stop a web browser from opening a socket ;) Two addition clipboard features that would be nice are: (1) a "one shot" copy/paste: delete the password from the clipboard after retrieving it from he password manager and pasting it into a password box; and (2) "timed" copy/paste: expire the data after 10 seconds or so. Both should allow the legitimate use cases, and narrow the window for the abuse cases. Jeff
Received on Saturday, 26 July 2014 14:09:28 UTC