On Wed, Aug 7, 2024 at 10:22 PM Max Nikulin <maniku...@gmail.com> wrote: > > On 07/08/2024 11:40, to...@tuxteam.de wrote: > > In my threat model, if I already have an application running under > > my own user ID, I call XKCD 1200 [1] on it. > > Browser JavaScript API allows to read and write clipboard. It is > protected to some extent by user prompts. On the other hand in ChromeOS > most of applications are running in browser, so I will not be surprised > if policy becomes more permissive some day despite developers are aware > of related security issues.
++. I find the W3C's clipboard API and event API very dangerous. The event api is the one that responds to keypresses. Webapps use it to egress all sorts of information. I had a large hotel chain egress my email address on a form I did _not_ submit. Then the spam began. One of the takeaways is, we need a "one shot copy/paste" that stops sniffing and clears the clipboard after the users pastes the data so that webapps that sniff the clipboard have no information to gather. Another takeaway is, you should never allow JavaScript on login pages. Jeff
