On Wed, May 6, 2015 at 8:42 AM, Doug Turner <do...@mozilla.com> wrote: > >> On May 6, 2015, at 7:30 AM, Tantek Çelik <tan...@cs.stanford.edu> wrote: >> >> >> Not pure vandalism. The user data loss is a side-effect of other incentives. >> >> E.g. trivial "attacker" incentive: all those share-button-happy >> news/media sites are likely to auto-copy URL + title of an article >> you're reading when you do any user interaction with the article, in >> the hopes that maybe you might paste the URL into an IM or email etc. >> and send them some more traffic (given how much they annoyingly >> sacrifice performance and page load/scroll speed with all their >> like/+1/share/addthis etc. buttons, I see no reason to expect any >> different behavior with this feature). > > Hi Tantek, > > This is important. We could mitigate by requiring https, only allowing the > top level document access these clipboard apis, and doorhangering the API. > Thoughts?
If news/media websites are likely to use the clipboard as an ad space, why aren't we seeing that happening now? Remember that this is already possible using flash. But to my knowledge this is not a big problem on the web today. Even on websites that already take the performance hit of initiating the flash plugin. > Somewhat related, I do think bad actors should be treated harshly by all UAs. > If we have a site or 3rd party load doing bad things, we could just decide > not to load that content. We already do this for malware via safe browsing, > and for tracking websites via Tracking Protection (about:config > <about:config>, privacy.trackingprotection.enabled). I definitely think it'd be cool if we had tracking-protection like mechanisms to auto-block various APIs on websites that are bad actors. For example it'd be cool to completely disable the ability to open popups, even from user actions, on websites that use other user interactions as an opportunity to create popups. / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
