On Wed, May 6, 2015 at 10:08 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Wed, May 6, 2015 at 7:02 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: >> * Restricting this API to resources loaded from a secure origin also doesn't >> help in any way in practice. It doesn't address your original concern _at >> all_ (since your malicious web site can easily get a certificate and perform >> the same annoying operation), and a potential network attacker MITMing your >> connection can inject a tiny Flash object and script it. It will be a few >> more lines of code for the attacker to write, and they would get a pretty >> solid attack for the majority of desktop users, at least. > > Flash will go away (to the extent it hasn't already on mobile), this > feature won't. We should offer better security than what came before.
But the argument here is "if websites had access to write to the clipboard, they will do horrible things X, Y and Z". However that argument is fairly easily disproven by looking at websites that exist today. Also keep in mind that for any well behaving websites, limiting the ability to write to the clipboard is an annoyance for users. The reason this feature is getting added is because *users* are annoyed that they have to use keyboard shortcuts to copy data. I would argue that users visit far more well behaving websites, than once that don't care about user experience. Like Ehsan, I don't see what advantages limiting this to https brings? / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
