On Wed, May 6, 2015 at 5:49 PM, Martin Thomson <m...@mozilla.com> wrote: > On Wed, May 6, 2015 at 8:42 AM, Doug Turner <do...@mozilla.com> wrote: >> This is important. We could mitigate by requiring https, only allowing the >> top level document access these clipboard apis,
Thanks Doug. I think your first two suggestions are an excellent start. Since we have no legacy to deal with, we can start conservative, and wait for web developer feedback, and iterate accordingly. Thus, straw proposal, let's use your first two: * mitigate by requiring https * only allowing the top level document access these clipboard apis And then if developers complain about either of these restrictions in practice, then hopefully they'll come with specific use-cases for us to consider. >> and doorhangering the API. Thoughts? > > A doorhanger seems like overkill here. Agreed. > Making this conditional on an > "engagement gesture" seems about right. Agreed on that too. > I don't believe that we > should be worry about surfing - and interacting with - strange sites > while there is something precious on the clipboard. Having lost clipboard data personally - I think this is an actual issue. > "Ask forgiveness, not permission" seems about the right balance here. I'd phrase it in a more user-centric manner, that is, a user interface should be forgiving of user mistakes, rather than asking permission. Thanks, Tantek _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform