Skip to content
Snippets Groups Projects
New look: Off

Clipboard data might be leaking

    • Closed Issue created by Georg Koppen @gk

    Some preliminary testing in #10285 (closed) comment 1 showed that websites might listen at least to the paste event and obtain user sensitive data this way. A quick workaround is setting "dom.event.clipboardevents.enabled" to "false".

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items ...

    • Activity

    • Georg Koppen added component::firefox patch issues owner::mikeperry priority::medium resolution::not a bug severity::normal status::closed tbb-3.0 tbb-linkability type::defect labels

      added component::firefox patch issues owner::mikeperry priority::medium resolution::not a bug severity::normal status::closed tbb-3.0 tbb-linkability type::defect labels

    • intrigeri
      intrigeri @intrigeri ·

      Trac:
      Cc: N/A to intrigeri@boum.org

    • Mike Perry
      Mike Perry @mikeperry ·

      What is the scope of this? In #10285 (closed), you said cross-origin. Does that just mean 3rd parties on the current tab? Or all tabs?

      In either case, this seems like something Mozilla should be aware of. If I am writing some kind of webapp that sources third party content in iframes (like ads), it seems bad to have those third party frames observing any events outside their origin. In fact, that is usually forbidden.

      What about pasting things into the url bar or other chrome areas? Is that still visible to content? That would be even worse.

    • Georg Koppen
      Georg Koppen @gk ·
      Author

      Replying to mikeperry:

      What is the scope of this? In #10285 (closed), you said cross-origin. Does that just mean 3rd parties on the current tab? Or all tabs?

      In either case, this seems like something Mozilla should be aware of. If I am writing some kind of webapp that sources third party content in iframes (like ads), it seems bad to have those third party frames observing any events outside their origin. In fact, that is usually forbidden.

      Okay, I was a bit brief regarding "cross-origin content". It just meant that wherever I copied/cut the content from (could be from the same origin or from a different origin (being loaded e.g. in a different tab) or even chrome (like the URL bar)) the first party I am pasting the content into might get that data. At first glance this seems like no big deal as users actually want that the data they paste into, say, a form should be available to the site hosting it (Do they? Maybe they made a mistake and are (or better: were) glad that they can delete the wrong pasting before pressing the "Send" button). But that changes as soon as one realizes that third party scripts included into the website have the same power as they are treated as first party.

      Regarding your iframe example: That should be no problem as iframes are not allowed to attach those listeners to the parent document.

      What about pasting things into the url bar or other chrome areas? Is that still visible to content?

      No.

    • Mike Perry
      Mike Perry @mikeperry ·

      I think I am going to agree that this is not a substantial leak. A mispaste can be gathered lots of ways, and we don't want to block pasting, or prompt for pasting.

      Trac:
      Status: new to closed
      Resolution: N/A to not a bug

    • C
      cypherpunks @cypherpunks ·

      dom.event.clipboardevents.enabled=false doesn't block pasting.

      Trac:
      Reviewer: N/A to N/A
      Sponsor: N/A to N/A
      Severity: N/A to Normal

    • Trac closed

      closed

    • Georg Koppen mentioned in issue #12488 (closed)

      mentioned in issue #12488 (closed)

    Please register or sign in to reply