Closed Bug 202253 Opened 21 years ago Closed 21 years ago

www.mozilla.org should NOT be granted clipboard access by default

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: igor, Assigned: security-bugs)

Details

(Whiteboard: midas, patch)

Attachments

(1 file)

Patch - remove prefs allowing mozilla.org to access clipboard
1.17 KB, patch
mkaply
: review+
hjtoi-bugzilla
: superreview+
asa
: approval1.4+
Details | Diff | Splinter Review 
According to
http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#456:

pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org");

But why then www.mozilla.org is granted the access to the clipboard by default
WITHOUT user knowledge??? Too many people can influence the site and what if
hostile script will somehow appear there and will try to grab keyboard context
with possibly sensitive information???

If this is done for convenience, then it already proved wrong since people
wasted there time trying to figure out why their code does not work while one on
mozilla.org does.


From the newsgroup exchange:

-------- Original Message 1 --------
Subject: Re: midas, execCommand, cut, copy & paste
Date: Wed, 16 Apr 2003 06:59:23 -0400
From: Benjamin Smedberg <bsmedberg@covad.net>
Organization: Another Netscape Collabra Server User
Newsgroups: netscape.public.mozilla.jseng,netscape.public.mozilla.xpcom
References: <ygrwuhva7cf.fsf@tva.ifi.uio.no>

> This boggles my mind. execCommand works fine in mozilla 1.4a, and in
> the midas demo at http://www.mozilla.org/editor/midasdemo/ cut, copy
> and paste works fine. When I try to use these functions myself,
> however, they don't - they generete an
> NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED exception with the message
> "Access to XPConnect service denied" code: "1011".

At 
http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#456
pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org");

So to use this in your own application you would need to enable 
security... try one of the following:
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); 
(this might work for copy)
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite");
(this might work for cut/paste)
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
(this might just work)

If you're doing this from website JS (as opposed to the local 
filesystem), you will need a signed script.

--BDS
-------- End of Original Message 1 --------

-------- Original Message 2 --------
Subject: Re: midas, execCommand, cut, copy & paste
Date: Wed, 16 Apr 2003 09:05:10 -0400
From: David Bradley <dbradleyXSPAM@netscape.com>
Organization: Another Netscape Collabra Server User
Newsgroups: netscape.public.mozilla.jseng,netscape.public.mozilla.xpcom
References: <ygrwuhva7cf.fsf@tva.ifi.uio.no> <b7jcj4$cp91@ripley.netscape.com>
<ygrk7duae30.fsf@tva.ifi.uio.no>

Fredrik de Vibe wrote:
> for it's 'own' site. I also fail to see the potential security issues
> wrt this, so if somebody would enlighten me here as well, I'd be
> grateful.

It would allow a web page to transmit the contents of the clipboard 
back. Now imagine you had a credit card number, ss #, or other sensitive 
information in the clipboard. You don't want web sites having access to 
any local data, including the clipboard, without the user's knowledge.

David
-------- End of Original Message 2 --------
Over to security.
Assignee: ben → mstoltz
Severity: normal → critical
Component: Preferences → Security: General
QA Contact: sairuh → carosendahl
So you trust mozilla the application but not the website?

I think it's useful to have an example site in all.js so people can figure out
what pref needs to be fixed to get copy/paste to work.
Whiteboard: midas
> So you trust mozilla the application but not the website?

I trust a particular mozilla binary provided by http://www.mozilla.org since I
know that only few persons can update it and any Trojan replacement will noticed
there sooner rather later. 

But trusting all www.mozilla.org is just bad idea. There are just too many
people who can update the site and a Trojan script slipping in one of the
project pages for example can be hard to notice. 

> I think it's useful to have an example site in all.js so people can figure out
what pref needs to be fixed to get copy/paste to work.


This is already proved to be wrong since people tried to use the functionality
on their own just to find out it does not work. Then they wasted their time
trying to figure out what is different. Moreover, such approach hides the fact
the a special action should be performed to enable the functionality and missed
an opportunity how a general text editor would behave.

If http://www.mozilla.org/editor/midasdemo/ would contain clear instructions
what to do to enable it, that would be very convenient. Moreover, since now it
is possible to edit preferences from the browser itself, a user will need just
few mouse click to enable it while be aware of implications. 
Your impression that there is only one person who can affect Mozilla binaries 
is misguided. There are actually more people who can affect changes to Mozilla 
binaries than to the web site.

That said I doubt we could get normal people to follow directions for using 
about:config, it would be better to provide a mechanism ala n4 java where a 
site can request a list of permissions as a group and the user can choose to 
grant them for the session or permanently. I'm fairly certain that we don't 
have anything like this in caps, but I'd hope there's a bug for it.

note that it's actually 3 preferences
pref("capability.policy.allowclipboard.sites", "http://www.mozilla.org");
pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess");
pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess");
and each site might really want/need to make its own policy which means asking 
the user to manually add three or more preferences.

per http://bugzilla.mozilla.org/bug_status.html#severity i'm clobbering the 
severity.
Severity: critical → normal
Component: Security: General → Security: CAPS
We actually discussed doing this but simply didn't have the time.

The idea of having a "clipboard manager" seemed silly.

What mozilla needs is a generic permissions manager that handles all permissions.
Let's remove the pref that allows mozilla.org to access the clipboard - too many
people can add content to that site, and it looks bad if we build in exemptions
like this.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4beta
Attachment #121338 - Flags: superreview?(heikki)
Attachment #121338 - Flags: review?(mkaply)
Attachment #121338 - Flags: superreview?(heikki) → superreview+
Comment on attachment 121338 [details] [diff] [review]
Patch - remove prefs allowing mozilla.org to access clipboard

I'll approve this for 1.3b as well once the bugzilla stuff is in place.
Attachment #121338 - Flags: review?(mkaply) → review+
Comment on attachment 121338 [details] [diff] [review]
Patch - remove prefs allowing mozilla.org to access clipboard

Requesting approval for 1.4 . This patch just removes the pref that allows all
pages at www.mozilla.org to access the user's clipboard. We don't want to be
seen as having "backdoors."
Attachment #121338 - Flags: approval1.4?
Flags: blocking1.4?
Whiteboard: midas → midas, patch
Comment on attachment 121338 [details] [diff] [review]
Patch - remove prefs allowing mozilla.org to access clipboard

a=asa (on behalf of drivers) for checkin to 1.4
Attachment #121338 - Flags: approval1.4? → approval1.4+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
Flags: blocking1.4?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: