Re: Copy to Clipboard - ambush and abuse by javascript from Paul Libbrecht on 2010-06-02 (www-tag@w3.org from June 2010)

From: Paul Libbrecht <paul@activemath.org>
Date: Wed, 2 Jun 2010 22:54:44 +0200
To: Tim Berners-Lee <timbl@w3.org>
Cc: TAG List <www-tag@w3.org>
Message-Id: <AB765F49-C629-42C0-93E7-2E379E7F33F3@activemath.org>

Very interesting,

it's the first time I hear of a library that actually claims to make  
broad use of the various browser clipboard APIs (at least the one  
received on my Safari tried to catch the oncopy events, those are the  
ones of HTML5 I think). I also note that this injection fails with  
Opera 10 and also fails with drag and drop of text (on my MacOSX 10.5).

What's interesting is that there's no way to differentiate a  
benevolent pre-copy operation (for example to create a better version  
of the thing being copied, such as inject alternate representations  
from the server: a vector-quality-picture, an iCal event, a content- 
MathML equivalent, a properly formatted plain-text schedule, ontology  
fragments...) and an apparently ugly approach as is done in the  
examples quoted below and at Daring Fireball's. The services are  
provided by the servers and could prove to be very useful.

 From a discussion I had with Jonas Sicking last year, I believe the  
only way out is to give the user the choice:

- accept services of the site provider for the clipboard (hence luxury)
- don't accept this form the site provider

Many people have been talking about asking the user what to do; J  
Sicking was rather of the opinion of have an extra copy command "copy  
text" or "copy as is" which would disable all such services.

The issue that everyone criticizes here is the injection of these  
Google Analytics tokens; and I tend to agree, this is a problem. Who  
can prevent such? The issue is a privacy issue: the users, if ever  
posting such a URL, should be aware that they are closing the loop of  
trackers. I think that a more useful service would have attracted far  
less critiques!

paul

Le 02-juin-10 à 17:14, Tim Berners-Lee a écrit :

> Example on MSNBC:
> http://today.msnbc.msn.com/id/29875493/ns/today-green/
> Very frustrating -- but a violation of the user interface.
>
> It is discussed by John Gruber on:
> http://daringfireball.net/2010/05/tynt_copy_paste_jerks
>
> "the site uses JavaScript to report what you’ve copied to an  
> analytics server" when you perform a copy.
> This I think seriously violates the function of Copy, and the user's  
> rights.
>
> Should browsers ensure that Copy is always a read-only operation,  
> unless they have INSTALLED code to do something different?
>
> Tim
>
>
>
>

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Wednesday, 2 June 2010 20:55:24 UTC