- From: Paul Libbrecht <paul@activemath.org>
- Date: Mon, 7 Jun 2010 09:05:16 +0200
- To: Roy T. Fielding <fielding@gbiv.com>
- Cc: L.David Baron <dbaron@dbaron.org>, Tim Berners-Lee <timbl@w3.org>, W3C TAG <www-tag@w3.org>
- Message-Id: <1A965FA2-91C6-4696-B331-BA98A93D5A70@activemath.org>
Le 6 juin 2010 à 03:36, "Roy T. Fielding" <fielding@gbiv.com> a écrit : >> [...] small image, positioning other content on top of it, etc. >> And we >> certainly still want to allow copying of text that's offscreen so >> users can copy large pieces of text. > > Yes, I don't see a problem with copying what has been selected, > even if it is difficult to see the entire selection. That's exactly what David Baron was saying: it cannot be considered a problem but it is very likely that any page that intends to be useful such as a page powered by Tynt.com uses offscreen text for what is considered malicious in this thread (it's just another hack: modify selected text after a selection is done). > Allowing page-loaded javascript to add text to the cut buffer > is an indirect security hole. The reason is because people do > rely on content selection for things like copying examples > from online manuals and help sites, and a seemingly harmless > example on how to view a system property like > sudo fs_usage > can cause a lot of damage if > ; sudo rm -rf /somewhere/valuable \n > is surreptitiously added to the cut buffer. There may be other > ways to trick a user into copying that text, but I suspect those > other ways are all more detectable on a small selection than a > script adding arbitrary text to the buffer. This is indeed a scary example but one has to choose (or let the user choose): - either the web page can change the content of the text being copied as well as provide alternative representations - or the web page cannot do that, it is a mistrusted page I know users generally don't know the trust level (though for the example above...) but I tend to believe that, indeed, I would prefer the spreadsheet applications, or online banking reports, to copy me something that I can compute with instead of a nicely formatted bit. Well, I probably want both. Except with scripts, is there any markup I can use to say that a given sub-tree is the equivalent to the data at URL xx? paul
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Monday, 7 June 2010 07:06:24 UTC