On Wed, May 6, 2015 at 10:51 AM, Gervase Markham <g...@mozilla.org> wrote: > On 06/05/15 08:00, Tantek Çelik wrote: >> Result: loss of user data that user had put into the clipboard >> previously. This isn't possible with current DOM APIs and is a new >> vulnerability introduced by cut/copy. > > Given that most text-editing applications have "undo" (if you used "cut" > originally),
^^^ desktop assumption. Most (nearly all?) text editing applications and/or applications with editable text fields on *mobile* DO NOT have "undo". > this strikes me as a low-level web page annoyance on a par > with auto-playing irritating music. ^^^ disagreed - no data loss with auto-playing irritating music, just potential embarrassment / emotional annoyance. > Although perhaps a little less > discoverable as to the cause. Very. Also the silent nature of this vulnerability means user might not notice until long after damage is done. > I doubt this will be an issue in practice Perhaps. I might conclude similarly, yet I thought this was worth raising as possible justification for enabling only in secure connections. Also this is a good concrete test-case of our blog post and indication of direction re: features and secured connections. > - as the page doesn't get to see the data its deleting, doing so would > be pure vandalism, not worthy of an attacker who was trying to actually > accomplish something. Not pure vandalism. The user data loss is a side-effect of other incentives. E.g. trivial "attacker" incentive: all those share-button-happy news/media sites are likely to auto-copy URL + title of an article you're reading when you do any user interaction with the article, in the hopes that maybe you might paste the URL into an IM or email etc. and send them some more traffic (given how much they annoyingly sacrifice performance and page load/scroll speed with all their like/+1/share/addthis etc. buttons, I see no reason to expect any different behavior with this feature). Tantek _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform