FireFox 1.5 & clipboard access & controlling insert/overwrite mode

PMA said the following on 4/13/2006 6:04 AM:

Hi all,

I am porting a web application from IE 6.0 to FireFox 1.5. I have
solved almost all compatibility issues (quite a lot but not too bad)
except two of them :

1) Clipboard access thru' JavaScript (programmatical copy and
paste actions)
Can't programatically access the Clipboard in Firefox. It's an IE-only
security flaw - err - feature.
2) Monitoring and driving Insert/Overwrite mode on input fields

If memory serves me correctly, that can't be done in FF either.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

OK

Thanks

But why do you consider access to clipboard thru' JS is a sec flaw ? I
really wonder why ...

PMA wrote:

OK

Thanks

But why do you consider access to clipboard thru' JS is a sec flaw ? I
really wonder why ...

Many times the word security flaw is used, especially when no scenario
is described, it means annoyance. Nevertheless, in this particular
instance, it can lead to data loss for the user. Consider that you are
editing something in Word and you do a cut. Along comes a
window.setTimeout from an open browser which decides it wants to write
to the clipboard and, poof, you don't get back what you cut.

It might be that there is an option or security setting that allows you
to bypass this restriction (not sure on that). Also, if your app is
for an intranet where you can dictate requirements, then this is
possible if you can require your users to have an extension to Firefox,
such as GreaseMonkey.

Csaba Gabor from Vienna

Csaba Gabor wrote:

PMA wrote:

OK

Thanks

But why do you consider access to clipboard thru' JS is a sec flaw ? I
really wonder why ...
Many times the word security flaw is used, especially when no scenario
is described, it means annoyance. Nevertheless, in this particular
instance, it can lead to data loss for the user. Consider that you are
editing something in Word and you do a cut. Along comes a
window.setTimeout from an open browser which decides it wants to write
to the clipboard and, poof, you don't get back what you cut.

I would say that is one of the least serious problems.
What about a webapp in the background that send all clipboardcontent to some
badguy's server nonstop?

And I think we saw reasons enough last years to consider IE a security flaw
on it's own behalf, not to mention the time Microsoft needs to patch their
own shit and release the patch.
Regards,
Erwin Moller

It might be that there is an option or security setting that allows you
to bypass this restriction (not sure on that). Also, if your app is
for an intranet where you can dictate requirements, then this is
possible if you can require your users to have an extension to Firefox,
such as GreaseMonkey.

Csaba Gabor from Vienna

"Csaba Gabor" <da*****@gmail.com> writes:

Many times the word security flaw is used, especially when no scenario
is described, it means annoyance. Nevertheless, in this particular
instance, it can lead to data loss for the user.

It can also lead to compromise of secret data:
<URL:http://tom.me.uk/clipboard/>
Since I use an application for storing my passwords, I will have them
in the clipboard at times. Were I to have IE open on a malicious page
at the time, that password could be sent to the bad guy.

A simple example of what can get captured:
---
<textarea id="store" rows="50" cols="80"></textarea>
<script type="text/javascript">
(function loot() {
var store = document.getElementById("store");
var last = "";
setInterval(
function(){
var now = window.clipboardData.getData("Text");
if (now != last) {
store.value += now;
last = now;
}
}, 250);
})()
</script>
---
Have this running in the background for a while and come back and see.
Then remember that this could all have been sent to somewhere using a
XMLHTTPRequest.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Gotcha,

However, when inside some intranet apps (in fact we are just using Web
technologies for making applications that are NOT connected to the
Internet and where security issues are monitored thru' a lot of
securities guys, anti virus, anti-spyware, anti-trojan anti-...,
firewalls (many, many, many of them) it is in a way strange that no
configuration is provided to release some features like the one I need
in FF.

Thanx
Philippe

PMA wrote:

Gotcha,

However, when inside some intranet apps (in fact we are just using Web
technologies for making applications that are NOT connected to the
Internet and where security issues are monitored thru' a lot of
securities guys, anti virus, anti-spyware, anti-trojan anti-...,
firewalls (many, many, many of them) it is in a way strange that no
configuration is provided to release some features like the one I need
in FF.
Well, you 3 options:

1) you can always code them yourself.
Firefox is an Open Source initiative after all.

2) Search for a plugin that enables clipboardmanipulation.
Google for "plugin firefox clipboard"
Three link that might interest you:
http://extensionroom.mozdev.org/main.php/Firefox
https://addons.mozilla.org/extension...cation=firefox
http://www.quickonlinetips.com/archi...power-surfing/

I didn't check any of them myself, but I think that if you look into how the
plugins work, you can maybe make your own.
I am unsure if you can make a link to Javascript, as you asked in your
original question.

3) Or you can ask the developers of Firefox if they want to implement it.
It is technically not difficult.

Regards,
Erwin Moller


Thanx
Philippe

PMA wrote:

Hi all,

I am porting a web application from IE 6.0 to FireFox 1.5. I have
solved almost all compatibility issues (quite a lot but not too bad)
except two of them :

1) Clipboard access thru' JavaScript (programmatical copy and
paste actions)
2) Monitoring and driving Insert/Overwrite mode on input fields

Any help appreciated.

Philippe

Take a look at:-

<URL:http://xulplanet.com/references/xpcomref/group_Clipboard.html>
<URL:http://xulplanet.com/references/xpcomref/group_Selection.html>

Regards

Julian Turner

Thanx very much ...

I would not like to go to a specific dev for that feature. In a way I
prefer to "limit" the application users than telling IT departement
(there are not far from 15,000 users !) that they have to
"re-masterize" 15,000 Workstations ...

Best regards
Philippe

Lasse Reichstein Nielsen wrote:

It can also lead to compromise of secret data:
<URL:http://tom.me.uk/clipboard/>
Since I use an application for storing my passwords, I will have them
in the clipboard at times. Were I to have IE open on a malicious page
at the time, that password could be sent to the bad guy.

I had a small iframe script which captured clipboard contents silently in
the background on my javascript page for a while, just for curiosity sake.

It was quite amazing what I captured. Internal memos, passwords, IM chats,
emails, lots of code snippets, _lots_ of url's, etc.

Along with disabling ActiveX and "Install On Demand", disabling the
clipboard feature in IE is one of the basic steps every IE user should take
to make their browsing more secure. Besides switching to Firefox, of course
;)

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

Matt Kruse wrote:

Lasse Reichstein Nielsen wrote:

It can also lead to compromise of secret data:
<URL:http://tom.me.uk/clipboard/>
Since I use an application for storing my passwords, I will have them
in the clipboard at times. Were I to have IE open on a malicious page
at the time, that password could be sent to the bad guy.

I had a small iframe script which captured clipboard contents silently in
the background on my javascript page for a while, just for curiosity sake.

It was quite amazing what I captured. Internal memos, passwords, IM chats,
emails, lots of code snippets, _lots_ of url's, etc.

Along with disabling ActiveX and "Install On Demand", disabling the
clipboard feature in IE is one of the basic steps every IE user should take
to make their browsing more secure. Besides switching to Firefox, of course

Boy, remind me to be very careful when visiting your sites!

I'll add just one more method into the mix: If you install
GreaseMonkey and then customize it per
http://www.nabble.com/GM_sendKeys-t1421601.html, then using
GM_sendKeys("^c",textarea) and GM_sendKeys("^v",textarea) does a copy
and paste to the textarea. Of course any other GM script that you
allow might be just as sneaky as Matt's site, so be careful...

Csaba

Csaba Gabor wrote:

Boy, remind me to be very careful when visiting your sites!

To be fair, it should be noted that the "experiment" was short-term, and
followed up with a message to the user alerting them of the security problem
in their browser. It was an experiment I did to prove how problematic this
feature is, and to use that evidence to convince some administrators in
several companies to disable the feature in all of their IE installations.

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com