On 06/05/15 18:22, James Graham wrote:
On 06/05/15 18:08, Anne van Kesteren wrote:
On Wed, May 6, 2015 at 7:02 PM, Ehsan Akhgari
<ehsan.akhg...@gmail.com> wrote:
* Restricting this API to resources loaded from a secure origin also
doesn't
help in any way in practice. It doesn't address your original
concern _at
all_ (since your malicious web site can easily get a certificate and
perform
the same annoying operation), and a potential network attacker
MITMing your
connection can inject a tiny Flash object and script it. It will be
a few
more lines of code for the attacker to write, and they would get a
pretty
solid attack for the majority of desktop users, at least.
Flash will go away (to the extent it hasn't already on mobile), this
feature won't. We should offer better security than what came before.
We also need to make a browser that people want to use. This means not
regressing the UX compared to what came before, or being markedly worse
than other browsers. Adding prompt/permissions UI in this case seems
like it is just going to be yet another papercut that will annoy more
people than will be pleased because we prevent some rogue website having
an unwanted interaction with the clipboard.
Oh, sorry, this is about https. On desktop sites will just use flash
rather than https. On mobile they are at least as likely to not support
clipboard operations in Firefox as switch to https. Again, users will
just get the impression that Firefox is a slightly worse browser, for
relatively little gain.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
