[tor-bugs] #10593 [Firefox Patch Issues]: Clipboard data might be leaking

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 14 10:24:19 UTC 2014 

#10593: Clipboard data might be leaking
-------------------------------------+-------------------------------------
     Reporter:  gk                   |      Owner:  mikeperry
         Type:  defect               |     Status:  new
     Priority:  normal               |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-linkability,
   Resolution:                       |  tbb-3.0
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by gk):

 Replying to [comment:2 mikeperry]:
 > What is the scope of this? In #10285, you said cross-origin. Does that
 just mean 3rd parties on the current tab? Or all tabs?
 >
 > In either case, this seems like something Mozilla should be aware of. If
 I am writing some kind of webapp that sources third party content in
 iframes (like ads), it seems bad to have those third party frames
 observing *any* events outside their origin. In fact, that is usually
 forbidden.

 Okay, I was a bit brief regarding "cross-origin content". It just meant
 that wherever I copied/cut the content from (could be from the same origin
 or from a different origin (being loaded e.g. in a different tab) or even
 chrome (like the URL bar)) the first party I am pasting the content into
 might get that data. At first glance this seems like no big deal as users
 actually want that the data they paste into, say, a form should be
 available to the site hosting it (Do they? Maybe they made a mistake and
 are (or better: were) glad that they can delete the wrong pasting before
 pressing the "Send" button). But that changes as soon as one realizes that
 third party scripts included into the website have the same power as they
 are treated as first party.

 Regarding your iframe example: That should be no problem as iframes are
 not allowed to attach those listeners to the parent document.

 > What about pasting things into the url bar or other chrome areas? Is
 that still visible to content?

 No.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10593#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list