Jonas Ådahl <jad...@gmail.com> writes: > On Wed, Jul 28, 2021 at 11:06:43AM +0000, Alyssa Ross wrote: >> Daniel Stone <dan...@fooishbar.org> writes: >> >> >> One big issue for us is protecting the system against potentially >> >> malicious Wayland clients. It's important that a compartmentalized >> >> application can't read from the clipboard or take a screenshot of the >> >> whole desktop without user consent. (The latter is possible in >> >> wlroots compositors with wlr-screencopy.) >> >> >> >> So an idea I had was to was to write a proxy program that would sit >> >> in front of the compositor, and receive connections from clients. If >> >> a client sent a wl_data_offer::receive, for example, the proxy could >> >> ask for user confirmation before forwarding that to the compositor. >> > >> > As you've noted, the core protocol doesn't offer any way to scrape >> > these contents without additional extension protocols, which are not >> > implemented by all compositors. Generally speaking, GNOME's Mutter and >> > Weston tend not to implement these protocols, and wlroots-based >> > compositors tend to implement them. >> >> That's true for screenshots, but it's not true for clipboard contents, >> right? As I understand it, any application can paste, with the only >> restriction being that it has to be in the foreground at the time, and >> wl-clipboard[1] seems to demonstrate that it's possible to fulfill that >> requirement without being visible to the user at all. > > Getting things from the clipboard is generally supposed to require an > interaction of some sort, e.g. a button press, key press, touch down, > etc, but it might be not properly implemented here and there. > wl-clipboard relies on this not being done good enough, and will > eventally stop working, unless there exist some global state like > clipboard manager protocol that bypasses any content restrictions that > wl_data_device and friends apply.
That's good to know, but even so, there's no way for the compositor to know that the interaction corresponds to a user intent to paste. So an application could still abuse a mouseover, or just some unrelated typing in its window, to read the clipboard contents when the user wasn't expecting it to.
signature.asc
Description: PGP signature
_______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel