W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: Karl Dubost <karl+w3c@la-grange.net>
Date: Fri, 4 Jun 2010 20:59:15 -0400
Cc: TAG List <www-tag@w3.org>
Message-Id: <C18A29F5-1AB3-42EA-973B-392F31BEEB5D@la-grange.net>
To: Tim Berners-Lee <timbl@w3.org>

Le 2 juin 2010 à 11:14, Tim Berners-Lee a écrit :
> It is discussed by John Gruber on:
> http://daringfireball.net/2010/05/tynt_copy_paste_jerks

back to the issue 

# The guilty

A company, Example Publishing Co., wrote an article http://example.com/path/myarticle

The "Example Publishing Co." has decided to put the Tracer from tynt. 
In the specific article it is

   <script type="text/javascript" 

# The victim

Someone cut and paste and gets in clipboard buffer something like this:

   Power is what men seek and any group that gets it will abuse it. 
   Lincoln Steffens
   Read More: http://example.com/path/myarticle?eref=sinav#ixzz0ghvk2qyP

# The provider 

Tynt is offering a (nasty) tool for helping publishers to track their content. BUT Tynt didn't force people to put that on their Web sites (important).

# Pros and Cons (trying to stay neutral)

* Is Tynt useful for publishers?
  Yes, they would not use it if they didn't see any values into it.

* Is Tynt harmful for users?
  Not really, at least not more than 
	* session trackers (Amazon), [this is in the uri too]
	* cookies (Google Analytics) 
	* or browsers with unique id (Google Chrome)

* Are users abused?
  I'm pretty sure most people will be happy of the read more with the URI.
  Imagine the system had just returned, without the tracking code.

       Power is what men seek and any group that gets it will abuse it. 
       Lincoln Steffens
       Read More: http://example.com/path/myarticle

   We would not argue about it. No?
   See the bookmarklet http://www.w3.org/2000/08/eb58

   What bothers us (geeks) is that the the content in the content put in the clipboard
   has been modified without our consent, but I think we react specifically to the 
   tynt tracer.

   But how different is it from Amazon creating a session tracker 
   which is even more difficult to identify when I copy paste the URI.

# What browsers should do?

	Tim: "Should browsers ensure that Copy is always 
	a read-only operation, unless they have INSTALLED 
	code to do something different?"

Give the choice to users. 
For example in Firefox or Safari, there is a "block pop up windows".
You can imagine, something ala "Authorize only plain cut and paste"
Or having a warning pop-up for "Careful! A script modified the content of your copy"
   (not sure people will understand it)

# Other Analysis about Tynt (for and against)

http://besthubris.com/noscript-plug-in-graylist/ (Tynt put on the whitelist!)

# Tynt Blocker

* Chrome
* Firefox

Karl Dubost
Montréal, QC, Canada
Received on Saturday, 5 June 2010 00:59:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:34 UTC