W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2014

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

From: Hallvord R. M. Steen <hsteen@mozilla.com>
Date: Mon, 15 Sep 2014 14:26:37 -0700 (PDT)
To: noloader@gmail.com
Cc: Arthur Barstow <art.barstow@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <293466552.25775772.1410816397751.JavaMail.zimbra@mozilla.com>
>>   <http://dev.w3.org/2006/webapi/clipops/clipops.html>
> Please forgive my ignorance. But I don't see a requirement that data
> egressed from the local machine to be protected with SSL/TLS.

I can certainly add a note *encouraging* encryption, but it's not something we can "require" in a meaningful sense - it's several layers away from the parts of the process the spec is about.

> Also, if the origin uses a secure scheme like HTTPS, then shouldn't
> the script's also require the same? That is, shouldn't the spec avoid
> fetching from https://www.example.com and then shipping clipboard data
> off to http://www.ads.com?

As an end user, I would go absolutely nuts if a computer was behaving inconsistently in apparently random ways like that. I'm pretty sure that no matter how security conscious you are, you probably copy and paste data between HTTPS and HTTP pages several times every month.. Having the browser block that because it pretends to know that some random data is important when I know it's not doesn't sound user friendly at all.
-Hallvord
Received on Monday, 15 September 2014 21:27:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:26 UTC