On 06/05/15 18:08, Anne van Kesteren wrote:
On Wed, May 6, 2015 at 7:02 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
* Restricting this API to resources loaded from a secure origin also doesn't
help in any way in practice. It doesn't address your original concern _at
all_ (since your malicious web site can easily get a certificate and perform
the same annoying operation), and a potential network attacker MITMing your
connection can inject a tiny Flash object and script it. It will be a few
more lines of code for the attacker to write, and they would get a pretty
solid attack for the majority of desktop users, at least.
Flash will go away (to the extent it hasn't already on mobile), this
feature won't. We should offer better security than what came before.
We also need to make a browser that people want to use. This means not
regressing the UX compared to what came before, or being markedly worse
than other browsers. Adding prompt/permissions UI in this case seems
like it is just going to be yet another papercut that will annoy more
people than will be pleased because we prevent some rogue website having
an unwanted interaction with the clipboard.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
