> On May 6, 2015, at 7:30 AM, Tantek Çelik <tan...@cs.stanford.edu> wrote: > > > Not pure vandalism. The user data loss is a side-effect of other incentives. > > E.g. trivial "attacker" incentive: all those share-button-happy > news/media sites are likely to auto-copy URL + title of an article > you're reading when you do any user interaction with the article, in > the hopes that maybe you might paste the URL into an IM or email etc. > and send them some more traffic (given how much they annoyingly > sacrifice performance and page load/scroll speed with all their > like/+1/share/addthis etc. buttons, I see no reason to expect any > different behavior with this feature).
Hi Tantek, This is important. We could mitigate by requiring https, only allowing the top level document access these clipboard apis, and doorhangering the API. Thoughts? Somewhat related, I do think bad actors should be treated harshly by all UAs. If we have a site or 3rd party load doing bad things, we could just decide not to load that content. We already do this for malware via safe browsing, and for tracking websites via Tracking Protection (about:config <about:config>, privacy.trackingprotection.enabled). Doug _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform