On 2015-05-20 9:41 PM, t...@bocoup.com wrote:
I am not sure if this is the right avenue to raise concern (again) over not requiring a prompt. It seems that "user action" here implies that a user intended on having their clipboard destroyed intentionally. (Like requesting a SHA from GitHub).
No, I never meant to imply that. The only level of protection that we're implementing is to make it impossible for the page to do this when it's not being interacted with (for example, if you have the page open in the background.)
However, I created a very basic demo here: http://jsfiddle.net/azgugmjb/3/ that shows how easy (in Chrome 43) it is to abuse the "user action". I really hope this shines some light on the potential for real world abuse. The user action in my demo is simply highlighting text. The use of `.select()` prevents the user from actually using the system keybinding for copying and will inject into their clipboard something other than what they intended.
Yes, but you could construct a similar test case for copying something through Flash by for example placing a transparent Flash movie in front of that text and simulate the visual selection yourself, or rendering the text in the Flash movie itself, etc.
And that is exactly the point I have been trying to make. The potential for abuse definitely exists today, with Flash. And so far we have no evidence that this is an issue in practice today. At the very least, by allowing web developers to use the API implemented in the browser engine, we will have some chance of reacting to this abusive behavior becoming a problem in practice in the future, but if we hamper the user experience by doing things such as displaying a prompt, Web developers will just continue to use Flash at least on desktop where it's widely available, and we wouldn't have a good way to react to this problem if it proves to be a practical issue.
Therefore, I remain unconvinced that we need to display a prompt for this API.
Cheers, Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
