On Wed, May 6, 2015 at 4:17 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: > On Tue, May 5, 2015 at 7:34 PM, Tantek Çelik <tan...@cs.stanford.edu> wrote: >> >> On Wed, May 6, 2015 at 12:51 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com> >> wrote: >> > On 2015-05-05 6:31 PM, Daniel Holbert wrote: >> >> >> >> On 05/05/2015 02:51 PM, Ehsan Akhgari wrote: >> >>> >> >>> Sites such as Github currently use Flash in order to >> >>> allow people to copy text to the clipboard by clicking a button in >> >>> their >> >>> UI. >> >> First, this is awesome and can't wait to try it out. >> >> Second, "cut" is potentially destructive to user data, have you >> considered enabling this only for secure connections? Either way it >> would be good to know the reasoning behind your decision. > > > Hmm, what would that prevent against though? A web page could just use the > normal DOM APIs to destroy the user data (e.g., something like the contents > of a blog post the user is writing in a blogging web app). Is this what you > had in mind?
Sorry I wasn't clear. *Both* "cut" and "copy" have the impact of *clearing* the previous clipboard data (on typical platforms). Thus if the user had say, cut a bunch of text from another application (like a text editor), and then switched to a browser window, gotten distracted and clicked something, it is *possible* the page could select text, do a cut/copy, and blow away that bunch of text from the other application. Result: loss of user data that user had put into the clipboard previously. This isn't possible with current DOM APIs and is a new vulnerability introduced by cut/copy. Tantek _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform