Closed Bug 202253 Opened 23 years ago Closed 23 years ago

www.mozilla.org should NOT be granted clipboard access by default

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: igor, Assigned: security-bugs)

Details

(Whiteboard: midas, patch)

Attachments

(1 file)

Patch - remove prefs allowing mozilla.org to access clipboard
1.17 KB, patch
mkaply
: review+
hjtoi-bugzilla
: superreview+
asa
: approval1.4+
Details | Diff | Splinter Review
According to http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#456: pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org"); But why then www.mozilla.org is granted the access to the clipboard by default WITHOUT user knowledge??? Too many people can influence the site and what if hostile script will somehow appear there and will try to grab keyboard context with possibly sensitive information??? If this is done for convenience, then it already proved wrong since people wasted there time trying to figure out why their code does not work while one on mozilla.org does. From the newsgroup exchange: -------- Original Message 1 -------- Subject: Re: midas, execCommand, cut, copy & paste Date: Wed, 16 Apr 2003 06:59:23 -0400 From: Benjamin Smedberg <bsmedberg@covad.net> Organization: Another Netscape Collabra Server User Newsgroups: netscape.public.mozilla.jseng,netscape.public.mozilla.xpcom References: <ygrwuhva7cf.fsf@tva.ifi.uio.no> > This boggles my mind. execCommand works fine in mozilla 1.4a, and in > the midas demo at http://www.mozilla.org/editor/midasdemo/ cut, copy > and paste works fine. When I try to use these functions myself, > however, they don't - they generete an > NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED exception with the message > "Access to XPConnect service denied" code: "1011". At http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#456 pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org"); So to use this in your own application you would need to enable security... try one of the following: netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); (this might work for copy) netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); (this might work for cut/paste) netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); (this might just work) If you're doing this from website JS (as opposed to the local filesystem), you will need a signed script. --BDS -------- End of Original Message 1 -------- -------- Original Message 2 -------- Subject: Re: midas, execCommand, cut, copy & paste Date: Wed, 16 Apr 2003 09:05:10 -0400 From: David Bradley <dbradleyXSPAM@netscape.com> Organization: Another Netscape Collabra Server User Newsgroups: netscape.public.mozilla.jseng,netscape.public.mozilla.xpcom References: <ygrwuhva7cf.fsf@tva.ifi.uio.no> <b7jcj4$cp91@ripley.netscape.com> <ygrk7duae30.fsf@tva.ifi.uio.no> Fredrik de Vibe wrote: > for it's 'own' site. I also fail to see the potential security issues > wrt this, so if somebody would enlighten me here as well, I'd be > grateful. It would allow a web page to transmit the contents of the clipboard back. Now imagine you had a credit card number, ss #, or other sensitive information in the clipboard. You don't want web sites having access to any local data, including the clipboard, without the user's knowledge. David -------- End of Original Message 2 --------
Over to security.
Assignee: ben → mstoltz
Severity: normal → critical
Component: Preferences → Security: General
QA Contact: sairuh → carosendahl
So you trust mozilla the application but not the website? I think it's useful to have an example site in all.js so people can figure out what pref needs to be fixed to get copy/paste to work.
Whiteboard: midas
> So you trust mozilla the application but not the website? I trust a particular mozilla binary provided by http://www.mozilla.org since I know that only few persons can update it and any Trojan replacement will noticed there sooner rather later. But trusting all www.mozilla.org is just bad idea. There are just too many people who can update the site and a Trojan script slipping in one of the project pages for example can be hard to notice. > I think it's useful to have an example site in all.js so people can figure out what pref needs to be fixed to get copy/paste to work. This is already proved to be wrong since people tried to use the functionality on their own just to find out it does not work. Then they wasted their time trying to figure out what is different. Moreover, such approach hides the fact the a special action should be performed to enable the functionality and missed an opportunity how a general text editor would behave. If http://www.mozilla.org/editor/midasdemo/ would contain clear instructions what to do to enable it, that would be very convenient. Moreover, since now it is possible to edit preferences from the browser itself, a user will need just few mouse click to enable it while be aware of implications.
Your impression that there is only one person who can affect Mozilla binaries is misguided. There are actually more people who can affect changes to Mozilla binaries than to the web site. That said I doubt we could get normal people to follow directions for using about:config, it would be better to provide a mechanism ala n4 java where a site can request a list of permissions as a group and the user can choose to grant them for the session or permanently. I'm fairly certain that we don't have anything like this in caps, but I'd hope there's a bug for it. note that it's actually 3 preferences pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org"); pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess"); pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess"); and each site might really want/need to make its own policy which means asking the user to manually add three or more preferences. per http://bugzilla.mozilla.org/bug_status.html#severity i'm clobbering the severity.
Severity: critical → normal
Component: Security: General → Security: CAPS
We actually discussed doing this but simply didn't have the time. The idea of having a "clipboard manager" seemed silly. What mozilla needs is a generic permissions manager that handles all permissions.
Let's remove the pref that allows mozilla.org to access the clipboard - too many people can add content to that site, and it looks bad if we build in exemptions like this.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4beta
Attachment #121338 - Flags: superreview?(heikki)
Attachment #121338 - Flags: review?(mkaply)
Attachment #121338 - Flags: superreview?(heikki) → superreview+
Comment on attachment 121338 [details] [diff] [review] Patch - remove prefs allowing mozilla.org to access clipboard I'll approve this for 1.3b as well once the bugzilla stuff is in place.
Attachment #121338 - Flags: review?(mkaply) → review+
Comment on attachment 121338 [details] [diff] [review] Patch - remove prefs allowing mozilla.org to access clipboard Requesting approval for 1.4 . This patch just removes the pref that allows all pages at www.mozilla.org to access the user's clipboard. We don't want to be seen as having "backdoors."
Attachment #121338 - Flags: approval1.4?
Flags: blocking1.4?
Whiteboard: midas → midas, patch
Comment on attachment 121338 [details] [diff] [review] Patch - remove prefs allowing mozilla.org to access clipboard a=asa (on behalf of drivers) for checkin to 1.4
Attachment #121338 - Flags: approval1.4? → approval1.4+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
Flags: blocking1.4?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: