W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: Copy to Clipboard - ambush and abuse by javascript

From: Paul Libbrecht <paul@activemath.org>
Date: Mon, 7 Jun 2010 09:05:16 +0200
Cc: L.David Baron <dbaron@dbaron.org>, Tim Berners-Lee <timbl@w3.org>, W3C TAG <www-tag@w3.org>
Message-Id: <1A965FA2-91C6-4696-B331-BA98A93D5A70@activemath.org>
To: Roy T. Fielding <fielding@gbiv.com>
Le 6 juin 2010 à 03:36, "Roy T. Fielding" <fielding@gbiv.com> a écrit :
>> [...] small image, positioning other content on top of it, etc.   
>> And we
>> certainly still want to allow copying of text that's offscreen so
>> users can copy large pieces of text.
> Yes, I don't see a problem with copying what has been selected,
> even if it is difficult to see the entire selection.

That's exactly what David Baron was saying: it cannot be considered a  
problem but it is very likely that any page that intends to be useful  
such as a page powered by Tynt.com uses offscreen text for what is  
considered malicious in this thread (it's just another hack: modify  
selected text after a selection is done).

> Allowing page-loaded javascript to add text to the cut buffer
> is an indirect security hole.  The reason is because people do
> rely on content selection for things like copying examples
> from online manuals and help sites, and a seemingly harmless
> example on how to view a system property like
>   sudo fs_usage
> can cause a lot of damage if
> ; sudo rm -rf /somewhere/valuable \n
> is surreptitiously added to the cut buffer.  There may be other
> ways to trick a user into copying that text, but I suspect those
> other ways are all more detectable on a small selection than a
> script adding arbitrary text to the buffer.

This is indeed a scary example but one has to choose (or let the user  

- either the web page can change the content of the text being copied  
as well  as provide alternative representations

- or the web page cannot do that, it is a mistrusted page

I know users generally don't know the trust level (though for the  
example above...) but I tend to believe that, indeed, I would prefer  
the spreadsheet applications, or online banking reports, to copy me  
something that I can compute with instead of a nicely formatted bit.

Well, I probably want both.
Except with scripts, is there any markup I can use to say that a given  
sub-tree is the equivalent to the data at URL xx?


Received on Monday, 7 June 2010 07:06:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:34 UTC