> "Flash Player requires that the getData() be called in a paste event handler. In AIR, this restriction only applies to content outside of the application security sandbox.�
>
> I would be extremely concerned if flash player allowed arbitrary reading from the clipboard!
OK, I think I understand your point now. So here is a modified proposal:
* Allow execCommand("copy"/"cut") for all web content if run in response
to a user generated event.
* Allow execCommand("paste") only for certified apps or chrome content.
I think this should address your concern. Please let me know what you
think.
>> Are you worried about the types of attacks where they create a game asking the user to click around and keep reading the clipboard value by issuing an execCommand("paste") and examining the data on the clipboard through a paste event handler?
>
> That could be one scenario, but I�m more worried about opportunistic attacks. Like click an advertisement, and it gets the contents of your clipboard.
>
> So I think this approach might provide a mitigation for execCommand(cut/copy) but not for paste.
Yep, see the proposal above.
>>>>>>> I also like Ehsan's idea to require a trusted event, but on Firefox OS
>>>>>>> isn't everything the user does a trusted event which could be used?
>>>>>>
>>>>>> Not sure what you mean here by the trusted event. My idea was to enable
>>>>>> document.execCommand("copy"/"paste") *if* the execCommand function is
>>>>>> called in response to a user initiated event (a touch event, a key press
>>>>>> etc.) in order to prevent the page from calling these APIs when it's
>>>>>> idle. The basic idea is that there is no good reason why the page would
>>>>>> want to call these APIs if the user is not interacting with the page.
>>>>>>
>>>>>
>>>>> So, it seems we agree? I, too, think we should require event.isTrusted
>>>>> to be true.
>>>>>
>>>>
>>>> event.isTrusted would be true if the user presses Ctrl+C for example, and
>>>> it would be false if the web page runs execCommand("copy"). (But I'm not
>>>> sure why isTrusted matters here.)
>>>>
>>>>
>>>>> There's a lot of tap, touch and click in a mobile interface. A popular
>>>>> ap that is used regularly, could still poll the clipboard. But that's
>>>>> not as bad as an evil app lurking in the background! :)
>>>>>
>>>>
>>>> Yes that will remain a possibility. Note that with Flash exposing this
>>>> functionality on desktop, this _has_ been a possibility since forever. I
>>>> am not aware of a lot of abuses from this in the wild.
>>>
>>> As far as I can tell, Flash only exposes the ability to _write_ to the
>>> clipboard except for when handling paste events. Also, since a rash of
>>> malware in 2008 it only allows writing to the clipboard in response to
>>> user interaction (search for �clipboard poisoning" for related media
>> "In the application sandbox of Adobe AIR, setData() can be called anytime. In other contexts, setData() can only be called in response to a user-generated event such as a key press or mouse click.�
>
> Exactly. AIR is for desktop applications. We are interested Flash Player�s behaviour right, not AIR?
Yep, I was reading the second part actually: "In other contexts,
setData() can only be called in response to a user-generated event such
as a key press or mouse click." My new proposal is on par with this.
>>>>>> How does that sound?
>>>>>>
>>>>>
>>>>> I'm convinced this is going in a good direction. I just wonder if
>>>>> Firefox OS (gaia) should provide a user interface, so we have strong
>>>>> visual clues about what's going on.
>>>>> I'd hate if every app had to bring their own select, copy and paste
>>>>> buttons.
>>>>>
>>>>
>>>> I thought the idea is to let the system app render some kind of UI on top
>>>> of the app which provides this functionality by default, so that would
>>>> give
>>>> us the default OS level UI.
>>>
>>> I assume this is the case too from looking at the UX specs, but the
>>> system app will need an API fire cut/copy/paste/events so that it can
>>> provide this OS level UI, won�t it? Can we just expose
>>> execCommand(cut/copy/paste) via a permission to certified apps since we
>>> are going to need that level of access for the system app to be able to
>>> implement the UI for cut/copy/paste.
>>
>> As I've said before, exposing this functionality to the certified apps only is fine, but I'm trying to take this opportunity to address this issue for all Web content, because I think there is nothing Firefox OS specific about the actual use case here. (Think of why github requires to use the Flash plugin, I believe clipboard access is the only reason!)
>
> Yeh ignore me here - I didn�t realise that we already had a solution by extending the mozbrowser API.
>
>>
>>> This means that only certified apps can do UX as described in the spec
>>> [1] can implement buttons as per pages 4 & 5, but honestly Im not a big
>>> fan of letting apps create their own clipboard related UX - that seems
>>> more like something that should be handled by system UI to me for
>>> consistency and learnability, but thats just my opinion.
>>
>> Sure. I think that UI is provided by the system app... But note that the UX spec doesn't address all of the clipboard use cases and in fact it *only* addresses the most basic ones. Think of the Contacts app requiring to copy a contact, or the Email app requiring to copy the email address of someone, or the gallery app requiring to copy an image, etc. There are *tons* of clipboard use cases that our initial implementation doesn't address, and I think it's best to not limit the developers to the basic copy/paste use case that we're initially targeting.
>
> So what I am saying is that Cut/Copy/Paste are all system level actions that need to be trusted. We may provide an API to access the clipboard directly, but I feel that we should keep the APIs responsible for allowing the system app to implement the trusted Cut/Copy/Paste actions as restricted to the system app only. (As I said in my earlier email, I�m not real keen on the
Well, I'm trying to change your mind about copy and cut. :-) I am
convinced that we cannot expose paste as I originally wanted. But I'm
actually happy with ignoring paste for now.
>>> We might also look at exposing the ability to set the clipboard to
>>> user-initiated event loops, but that seems secondary to FxOS
>>> requirements, and doesn�t solve all the use cases here.
>>
>> Why do you think it doesn't solve the Firefox OS use case?
>
> Because I though you were talking about setting the clipboard only, but it seems I misunderstood you.
>
>>
>>
>> (Also note that bug 987040 doesn't have anything to do with the clipboard access, in that bug we just exposed a selection changed event.)
>
> Ah ok - so I asked on IRC what implemented copy & paste in Firefox OS, and this what Howie pointed me to. Because the WIP patch & the wiki spec [1] in that bug talks about cutToClipboard(), copyToClipboard(), pasteFromClipboard() I had assumed that this bug was responsible for this.
Originally the plans on that bug were exactly what Howie said, but I
convinced people that we need a lower level API, and we ended up
designing an API to notify the consumer of the mozbrowser API of the
changes in the selection in the content loaded inside the mozbrowser and
also express the bounds of the selection on the screen, to let the
system app implement the bubble on top of that. The copy and paste part
was not addressed in that bug.
> If not here, are there separate bugs which implement these clipboard methods? Or is this still under discussion?
I am not aware of any existing bugs on that. It seems to me that you're
arguing for having a mozbrowser API for doing copy/paste and Tim in the
original email in this thread is asking for a way for the apps
themselves to be able to copy/paste. I guess we need to reconcile on
which one we should allow first. (We might want to do both.)
FWIW, the command bubble in the UX spec pretty much requires us to do
this work in the system app, which means we'll have to expose the
mozbrowser APIs at any rate, I think.
Cheers,
Ehsan