Closed Bug 734188 Opened 10 years ago Closed 1 year ago

Content copied to the clipboard should carry taint to allow warnings if it is used in a risky context

Categories

(DevTools :: General, defect)

x86
macOS
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: ygjb, Unassigned)

Details

(Keywords: sec-want, Whiteboard: [sg:want?])

Although controls have been improved around javascript: URLs, users can still copy and paste content into sensitive areas.  When content is pasted into a gcli command line, the content should be checked for taint, and a warning or additional steps could be taken to protect users from potentially malicious content.

The specific concern that triggered this is the upcoming support for execution of shell commands via gcli.
For previous context on solving the Self-XSS problem see bug 664589, and our currently proposed solution:
http://incompleteness.me/mozblog/2011/12/14/combating-self-xss/
I imagine you only want to throw a warning if its causing bad things. Sorry to split hairs, but you haven't stated that. I.e., pasting javascript: is bad, copy pasting URLs you probably want to allow? But then can't the latter cause XSS too (reflected XSS in sites). 

Further, I would love more discussion on what you mean by 'warnings'. Alert style warnings that block are pretty much useless, I think, in addition to being really annoying. Not clear how we can design a warning that actually works.
Product: Firefox → DevTools

GCLI command line has been deprecated (and removed) long time ago. Closing

Honza

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.