On Wed, May 6, 2015 at 8:42 AM, Doug Turner <do...@mozilla.com> wrote: > This is important. We could mitigate by requiring https, only allowing the > top level document access these clipboard apis, and doorhangering the API. > Thoughts?
A doorhanger seems like overkill here. Making this conditional on an "engagement gesture" seems about right. I don't believe that we should be worry about surfing - and interacting with - strange sites while there is something precious on the clipboard. "Ask forgiveness, not permission" seems about the right balance here. If we can find a way to revoke permission for a site that abuses the privilege, that's better. (Adding this to about:permissions with a default on state seems about right, which leads me to think that we need the same for the fullscreen thing.) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform