Subj : Re: midas, execCommand, cut, copy & paste To : netscape.public.mozilla.jseng,netscape.public.mozilla.xpcom From : Mitchell Stoltz Date : Fri Apr 18 2003 12:41 pm Fredrik de Vibe wrote: > Nevertheless, while in the spec only paste is listed as disabled due > to security issues, neither cut nor copy is (i.e. listed as diabled). > It appears to me the security issues don't apply to these functions > but they are still casting the same exception indicating they too are > disabled for the same reason (1.4a), that sounds to me like either > something missing from the spec or a bug. Yes, the spec is out of date. Previously, we blocked the Paste command only; now we block Cut and Copy as well. Paste is clearly the more dangerous operation as it allows stealong the contents of the clipboard, but Cut and Copy can be sued for some malicious things too, like putting porn or advertisements in your clipboard, erasing waht was there. Under IE, a popup window running in the background or even hidden can poll the contents of your clipboard at regular intervals and send whatever it finds off to an attacker. This can be disabled, but you have to go into prefs and know where to look. In Mozilla we're taking the safer approach of disabling it by default. .