On Mon, Dec 14, 2009 at 4:26 PM, Tyler Close <tyler.cl...@gmail.com> wrote: > On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth <w...@adambarth.com> wrote: >> On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close <tyler.cl...@gmail.com> wrote: >>> For example, the >>> User Consent Phase and Grant Phase above could be replaced by a single >>> copy-paste operation by the user. >> >> Any design that involves storing confidential information in the >> clipboard is insecure because IE lets arbitrary web sites read the >> user's clipboard. You can judge that to be a regrettable choice by >> the IE team, but it's just a fact of the world. > > And so we use the alternate, no-copy-paste design on IE while waiting > for a better world; one in which users can safely copy data between > web pages.
Just so that everyone knows, IE has changed this policy, so it's not a situation where we'll be waiting forever. See: http://msdn.microsoft.com/en-us/library/bb250473(VS.85).aspx Adam, were you aware of this policy change? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html