Mark and I were talking about a related issue, and I thought it might be helpful to track taint for content copied to the clipboard and raise a warning if the user attempts to paste it into a context where Javascript code might get executed (for example, the address bar, or the web developer toolbar).
I haven't thought too much about the feasibility of it yet, and this doesn't currently add much to mitigation of self-xss via javascript: urls in light of changes to how those urls are handled in the awesomebar, but it seems like it might be a good idea when dealing with the upcoming gcli changes that will allow a web developer to invoke command line executables from within the developer toolbar. I filed a bug for this https://bugzilla.mozilla.org/show_bug.cgi?id=734188 Related: https://bugzilla.mozilla.org/show_bug.cgi?id=664589 https://etherpad.mozilla.org/664589 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
