Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#10593 closed defect (not a bug)

Clipboard data might be leaking

Reported by: gk Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Normal Keywords: tbb-linkability, tbb-3.0
Cc: intrigeri@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some preliminary testing in #10285 comment 1 showed that websites might listen at least to the paste event and obtain user sensitive data this way. A quick workaround is setting "dom.event.clipboardevents.enabled" to "false".

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by intrigeri

Cc: intrigeri@… added

comment:2 Changed 6 years ago by mikeperry

What is the scope of this? In #10285, you said cross-origin. Does that just mean 3rd parties on the current tab? Or all tabs?

In either case, this seems like something Mozilla should be aware of. If I am writing some kind of webapp that sources third party content in iframes (like ads), it seems bad to have those third party frames observing *any* events outside their origin. In fact, that is usually forbidden.

What about pasting things into the url bar or other chrome areas? Is that still visible to content? That would be even worse.

comment:3 in reply to:  2 Changed 6 years ago by gk

Replying to mikeperry:

What is the scope of this? In #10285, you said cross-origin. Does that just mean 3rd parties on the current tab? Or all tabs?

In either case, this seems like something Mozilla should be aware of. If I am writing some kind of webapp that sources third party content in iframes (like ads), it seems bad to have those third party frames observing *any* events outside their origin. In fact, that is usually forbidden.

Okay, I was a bit brief regarding "cross-origin content". It just meant that wherever I copied/cut the content from (could be from the same origin or from a different origin (being loaded e.g. in a different tab) or even chrome (like the URL bar)) the first party I am pasting the content into might get that data. At first glance this seems like no big deal as users actually want that the data they paste into, say, a form should be available to the site hosting it (Do they? Maybe they made a mistake and are (or better: were) glad that they can delete the wrong pasting before pressing the "Send" button). But that changes as soon as one realizes that third party scripts included into the website have the same power as they are treated as first party.

Regarding your iframe example: That should be no problem as iframes are not allowed to attach those listeners to the parent document.

What about pasting things into the url bar or other chrome areas? Is that still visible to content?

No.

comment:4 Changed 6 years ago by mikeperry

Resolution: not a bug
Status: newclosed

I think I am going to agree that this is not a substantial leak. A mispaste can be gathered lots of ways, and we don't want to block pasting, or prompt for pasting.

comment:5 Changed 4 years ago by cypherpunks

Severity: Normal

dom.event.clipboardevents.enabled=false doesn't block pasting.

Note: See TracTickets for help on using tickets.