hm, paste1.html injects js in another domain but when middle clicked on an image document the cookie is accessible only on trunk
Summary: some dangers of middle clicking → some dangers of middle-click paste
note that middle clicking does paste in most X applications
This does not block the final release of Firefox 3.
Flags: blocking-firefox3? → blocking-firefox3-
I'm declaring this bug to be about the "selection stealing" issue (#1). The other bug should be filed as blocking bug 527530 (if it hasn't already been fixed).
Summary: some dangers of middle-click paste → Using middle-click for both "open link in new tab" and "paste" means pages can steal your clipboard contents
Version: 2.0 Branch → Trunk
Hmm. This is a tricky problem. I'm not sure what to do about it... Seem like we can't do the obvious thing of disabling middle-click paste -- or middle-click opens a link -- because both of those would be breaking commonly used functionality. [Though there's something to be said for Linux desktops moving away from the old X-style clipboard, and middle-click being something a lot of people still haven't learned about]. I can't think of any obvious solution to disable pasting in certain cases (eg, unless a textarea is focused) that wouldn't just be easily bypassed. So, seeking ideas as we're stuck.
I'd chalk this up to being a general problem for Linux, and not try to fix it. Middle-click to paste was always a brain-dead thing to do, especially having multiple clipboards, automatically adding selected text to one of the two clipboards, oh my. Don't get me started. ;) If Linux ever becomes a mainstream consumer platform, we can revisit this, but for now I'd just recommend leaving this alone. If you're worried about it as an end user, don't use middle click.
> If Linux ever becomes a mainstream consumer platform, we can revisit this, > but for now I'd just recommend leaving this alone. If you're worried about > it as an end user, don't use middle click. Or set middlemouse.paste to false.
I concur with the last few comments. We may want to investigate disabling the middle-click-to-load behavior (middlemouse.contentLoadURL) by default on Linux in the future, but many users depend on the functionality, and given the choice, probably would opt to play their luck with someone doing this kind of trick rather than losing the functionality. Since the likelihood of this being abused is low, and the result of the abuse is not that serious most of the time (clipboard contents can be sensitive, but they most often aren't), WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.