是什么导致对系统剪贴板的访问成为安全漏洞?
我正要开始在我的网络应用程序中实现复制/粘贴功能,但我发现这显然是不允许的。我不太关心如何做到这一点,因为它是一个可选功能,但我很好奇是什么真正使它成为一个安全问题。如果有人可以解释,我将非常感激。
I was about to get started on implementing a copy/paste feature in my web app but I found out that it's apparently not allowed. I am not too concerned with how to do it since it was an optional feature, but I was curious about what really makes it a security concern. If someone could explain, I would really appreciate it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果我可以访问您的剪贴板,我会找到什么? keepassx 的密码?您最近访问的色情网站是?你的社会安全号?
If I could access your clipboard, what might I find? A password from keepassx? The last porn site you visited? Your SSN?
当网站习惯于在您不执行任何操作的情况下将内容复制到剪贴板,从而清除剪贴板中的其他内容时,这也是非常令人讨厌的。一些网站曾经这样做是为了阻止右键单击复制图像,在此过程中,它们破坏了剪贴板的一般使用。这与其说是安全问题,不如说是对剪贴板的拒绝服务攻击。
如果只能将纯文本放入剪贴板,这可能不是安全问题,但现代操作系统可以将各种内容放入剪贴板,其中一些可能是非常强大的对象。接收应用程序如何在未经查看者同意的情况下与剪贴板上的随机互联网内容进行交互的范围过于复杂,无法轻松防御所有可能的交互。
至于相反,随机网站不知道我的剪贴板上有什么。未经用户同意,网页显然不能读取剪贴板中的内容。
It's also quite obnoxious when sites used to copy stuff to your clipboard without your action, thus clearing the other stuff you had in your clipboard. Some sites used to do that to try to prevent right-click copying of images and, in the process, they wrecked general usage of the clipboard. This isn't a security issue so much as a denial-of-service attack on your clipboard.
It probably isn't a security issue if only plain text could be put on the clipboard, but modern operating systems can put all sorts of things on the clipboard, some of which can be pretty powerful objects. The scope of how a receiving application might interact with random internet content put on the clipboard without the consent of the viewer is far too complicated to easily defend against all possible interactions.
As for the other way around, it's no business of a random web-site to know what is on my clipboard. Web pages should clearly NOT be able to read content from the clipboard without the user's consent.
出于与系统其他部分相同的原因,浏览器从剪贴板中被沙箱化。我剪贴板中的内容与您无关,您也无权覆盖我剪贴板中的内容:)
就像开发人员无权查看我的文件、执行代码或将文件添加到我的系统一样。剪贴板只是最终用户计算机的另一部分,Web 应用程序不属于其中。
如果您确实希望 Web 应用程序能够访问剪贴板,或者执行浏览器应用程序所要做的许多其他事情如果无法执行此操作,您可以考虑将应用程序移植到 Adobe AIR。对于某些需要超出浏览器所能提供的功能的事情,我已经这样做了,而且效果很好。它还允许我的用户离线使用该应用程序。
也就是说,HTML5 的单独剪贴板 API 规范工作草案正在制定中。 http://dev.w3.org/2006/webapi/clipops/ 我不知道不要怀疑任何浏览器都支持它。即使他们最终这样做,它也可能需要用户同意并默认被禁用。
The browser is sand-boxed from the clipboard for the same reason it is from the rest of your system. What I have in my clipboard is none of your business and you have no business overwriting what is in my clipboard :)
Just like developers have no business looking through my files, executing code, or adding files to my system. The clipboard is just another part of the end-user's machine, which the web application does not belong in.
If you do want a web application to be able to access the clipboard, or do many of the other things that that a browser app is prevented from doing, you could look at porting the application to Adobe AIR. I have done so for certain things that required more than the browser could offer and it worked out great. It also alloed my users to use the application offline.
That said, there is a separate Clipboard API spec working draft for HTML5 in the works. http://dev.w3.org/2006/webapi/clipops/ I don't suspect that any browser is supporting it yet. And even if they eventually do, it will likely require user consent and be disabled by default.