On Wed, May 6, 2015 at 4:17 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
> On Tue, May 5, 2015 at 7:34 PM, Tantek Çelik <tan...@cs.stanford.edu> wrote:
>>
>> On Wed, May 6, 2015 at 12:51 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com>
>> wrote:
>> > On 2015-05-05 6:31 PM, Daniel Holbert wrote:
>> >>
>> >> On 05/05/2015 02:51 PM, Ehsan Akhgari wrote:
>> >>>
>> >>> Sites such as Github currently use Flash in order to
>> >>> allow people to copy text to the clipboard by clicking a button in
>> >>> their
>> >>> UI.
>>
>> First, this is awesome and can't wait to try it out.
>>
>> Second, "cut" is potentially destructive to user data, have you
>> considered enabling this only for secure connections? Either way it
>> would be good to know the reasoning behind your decision.
>
>
> Hmm, what would that prevent against though?  A web page could just use the
> normal DOM APIs to destroy the user data (e.g., something like the contents
> of a blog post the user is writing in a blogging web app).  Is this what you
> had in mind?

Sorry I wasn't clear.  *Both* "cut" and "copy" have the impact of
*clearing* the previous clipboard data (on typical platforms).

Thus if the user had say, cut a bunch of text from another application
(like a text editor), and then switched to a browser window, gotten
distracted and clicked something, it is *possible* the page could
select text, do a cut/copy, and blow away that bunch of text from the
other application.

Result: loss of user data that user had put into the clipboard
previously. This isn't possible with current DOM APIs and is a new
vulnerability introduced by cut/copy.

Tantek
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to