On 08/08/2024 11:58, Jeffrey Walton wrote:
++. I find the W3C's clipboard API and event API very dangerous.
"clipboardchange" event is not supported making enough people unhappy. Reading/writing is protected by either user gesture context or by permissions. However a chance of unwanted access still exists.
One of the takeaways is, we need a "one shot copy/paste" that stops sniffing and clears the clipboard after the users pastes the data so that webapps that sniff the clipboard have no information to gather.
xclip has -loops, xsel has --selectionTimeout, you may choose any, but not both at the same time. I would still prefer direct insert into input field, something similar to on screen keyboard that types code. In the case of web forms browser extensions can do it.
Another takeaway is, you should never allow JavaScript on login pages.
I think, enough login pages would not work with disabled JS. Some of them have scripts making paste or password managers hardly usable.
Actually in respect to clipboard sniffing I am more afraid of *regular* pages. Some site may be compromised, some may accidentally allow script injection from user content.
