FireFox 1.5 & clipboard access & controlling insert/overwrite mode

Discussion in 'Javascript' started by PMA, Apr 13, 2006.

  1. PMA

    PMA Guest

    Hi all,

    I am porting a web application from IE 6.0 to FireFox 1.5. I have
    solved almost all compatibility issues (quite a lot but not too bad)
    except two of them :

    1) Clipboard access thru' JavaScript (programmatical copy and
    paste actions)
    2) Monitoring and driving Insert/Overwrite mode on input fields

    Any help appreciated.

    Philippe
     
    PMA, Apr 13, 2006
    #1
    1. Advertising

  2. PMA

    Randy Webb Guest

    Re: FireFox 1.5 & clipboard access & controlling insert/overwritemode

    PMA said the following on 4/13/2006 6:04 AM:
    > Hi all,
    >
    > I am porting a web application from IE 6.0 to FireFox 1.5. I have
    > solved almost all compatibility issues (quite a lot but not too bad)
    > except two of them :
    >
    > 1) Clipboard access thru' JavaScript (programmatical copy and
    > paste actions)


    Can't programatically access the Clipboard in Firefox. It's an IE-only
    security flaw - err - feature.

    > 2) Monitoring and driving Insert/Overwrite mode on input fields


    If memory serves me correctly, that can't be done in FF either.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
    Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
     
    Randy Webb, Apr 13, 2006
    #2
    1. Advertising

  3. PMA

    PMA Guest

    OK

    Thanks

    But why do you consider access to clipboard thru' JS is a sec flaw ? I
    really wonder why ...
     
    PMA, Apr 13, 2006
    #3
  4. PMA

    Csaba Gabor Guest

    PMA wrote:
    > OK
    >
    > Thanks
    >
    > But why do you consider access to clipboard thru' JS is a sec flaw ? I
    > really wonder why ...


    Many times the word security flaw is used, especially when no scenario
    is described, it means annoyance. Nevertheless, in this particular
    instance, it can lead to data loss for the user. Consider that you are
    editing something in Word and you do a cut. Along comes a
    window.setTimeout from an open browser which decides it wants to write
    to the clipboard and, poof, you don't get back what you cut.

    It might be that there is an option or security setting that allows you
    to bypass this restriction (not sure on that). Also, if your app is
    for an intranet where you can dictate requirements, then this is
    possible if you can require your users to have an extension to Firefox,
    such as GreaseMonkey.

    Csaba Gabor from Vienna
     
    Csaba Gabor, Apr 13, 2006
    #4
  5. PMA

    Erwin Moller Guest

    Csaba Gabor wrote:

    > PMA wrote:
    >> OK
    >>
    >> Thanks
    >>
    >> But why do you consider access to clipboard thru' JS is a sec flaw ? I
    >> really wonder why ...

    >
    > Many times the word security flaw is used, especially when no scenario
    > is described, it means annoyance. Nevertheless, in this particular
    > instance, it can lead to data loss for the user. Consider that you are
    > editing something in Word and you do a cut. Along comes a
    > window.setTimeout from an open browser which decides it wants to write
    > to the clipboard and, poof, you don't get back what you cut.


    I would say that is one of the least serious problems.
    What about a webapp in the background that send all clipboardcontent to some
    badguy's server nonstop?

    And I think we saw reasons enough last years to consider IE a security flaw
    on it's own behalf, not to mention the time Microsoft needs to patch their
    own shit and release the patch.


    Regards,
    Erwin Moller

    >
    > It might be that there is an option or security setting that allows you
    > to bypass this restriction (not sure on that). Also, if your app is
    > for an intranet where you can dictate requirements, then this is
    > possible if you can require your users to have an extension to Firefox,
    > such as GreaseMonkey.
    >
    > Csaba Gabor from Vienna
     
    Erwin Moller, Apr 13, 2006
    #5
  6. Re: FireFox 1.5 & clipboard access & controlling insert/overwritemode

    "Csaba Gabor" <> writes:

    > Many times the word security flaw is used, especially when no scenario
    > is described, it means annoyance. Nevertheless, in this particular
    > instance, it can lead to data loss for the user.


    It can also lead to compromise of secret data:
    <URL:http://tom.me.uk/clipboard/>
    Since I use an application for storing my passwords, I will have them
    in the clipboard at times. Were I to have IE open on a malicious page
    at the time, that password could be sent to the bad guy.

    A simple example of what can get captured:
    ---
    <textarea id="store" rows="50" cols="80"></textarea>
    <script type="text/javascript">
    (function loot() {
    var store = document.getElementById("store");
    var last = "";
    setInterval(
    function(){
    var now = window.clipboardData.getData("Text");
    if (now != last) {
    store.value += now;
    last = now;
    }
    }, 250);
    })()
    </script>
    ---
    Have this running in the background for a while and come back and see.
    Then remember that this could all have been sent to somewhere using a
    XMLHTTPRequest.

    /L
    --
    Lasse Reichstein Nielsen -
    DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
    'Faith without judgement merely degrades the spirit divine.'
     
    Lasse Reichstein Nielsen, Apr 13, 2006
    #6
  7. PMA

    PMA Guest

    Gotcha,

    However, when inside some intranet apps (in fact we are just using Web
    technologies for making applications that are NOT connected to the
    Internet and where security issues are monitored thru' a lot of
    securities guys, anti virus, anti-spyware, anti-trojan anti-...,
    firewalls (many, many, many of them) it is in a way strange that no
    configuration is provided to release some features like the one I need
    in FF.

    Thanx
    Philippe
     
    PMA, Apr 13, 2006
    #7
  8. PMA

    Erwin Moller Guest

    PMA wrote:

    > Gotcha,
    >
    > However, when inside some intranet apps (in fact we are just using Web
    > technologies for making applications that are NOT connected to the
    > Internet and where security issues are monitored thru' a lot of
    > securities guys, anti virus, anti-spyware, anti-trojan anti-...,
    > firewalls (many, many, many of them) it is in a way strange that no
    > configuration is provided to release some features like the one I need
    > in FF.


    Well, you 3 options:

    1) you can always code them yourself.
    Firefox is an Open Source initiative after all.

    2) Search for a plugin that enables clipboardmanipulation.
    Google for "plugin firefox clipboard"
    Three link that might interest you:
    http://extensionroom.mozdev.org/main.php/Firefox
    https://addons.mozilla.org/extensions/moreinfo.php?id=852&application=firefox
    http://www.quickonlinetips.com/archives/2005/12/50-best-firefox-extensions-for-power-surfing/

    I didn't check any of them myself, but I think that if you look into how the
    plugins work, you can maybe make your own.
    I am unsure if you can make a link to Javascript, as you asked in your
    original question.

    3) Or you can ask the developers of Firefox if they want to implement it.
    It is technically not difficult.

    Regards,
    Erwin Moller


    >
    > Thanx
    > Philippe
     
    Erwin Moller, Apr 13, 2006
    #8
  9. PMA wrote:

    > Hi all,
    >
    > I am porting a web application from IE 6.0 to FireFox 1.5. I have
    > solved almost all compatibility issues (quite a lot but not too bad)
    > except two of them :
    >
    > 1) Clipboard access thru' JavaScript (programmatical copy and
    > paste actions)
    > 2) Monitoring and driving Insert/Overwrite mode on input fields
    >
    > Any help appreciated.
    >
    > Philippe


    Take a look at:-

    <URL:http://xulplanet.com/references/xpcomref/group_Clipboard.html>
    <URL:http://xulplanet.com/references/xpcomref/group_Selection.html>

    Regards

    Julian Turner
     
    Julian Turner, Apr 13, 2006
    #9
  10. PMA

    PMA Guest

    Thanx very much ...

    I would not like to go to a specific dev for that feature. In a way I
    prefer to "limit" the application users than telling IT departement
    (there are not far from 15,000 users !) that they have to
    "re-masterize" 15,000 Workstations ...

    Best regards
    Philippe
     
    PMA, Apr 13, 2006
    #10
  11. PMA

    Matt Kruse Guest

    Lasse Reichstein Nielsen wrote:
    > It can also lead to compromise of secret data:
    > <URL:http://tom.me.uk/clipboard/>
    > Since I use an application for storing my passwords, I will have them
    > in the clipboard at times. Were I to have IE open on a malicious page
    > at the time, that password could be sent to the bad guy.


    I had a small iframe script which captured clipboard contents silently in
    the background on my javascript page for a while, just for curiosity sake.

    It was quite amazing what I captured. Internal memos, passwords, IM chats,
    emails, lots of code snippets, _lots_ of url's, etc.

    Along with disabling ActiveX and "Install On Demand", disabling the
    clipboard feature in IE is one of the basic steps every IE user should take
    to make their browsing more secure. Besides switching to Firefox, of course
    ;)

    --
    Matt Kruse
    http://www.JavascriptToolbox.com
    http://www.AjaxToolbox.com
     
    Matt Kruse, Apr 13, 2006
    #11
  12. PMA

    Csaba Gabor Guest

    Matt Kruse wrote:
    > Lasse Reichstein Nielsen wrote:
    > > It can also lead to compromise of secret data:
    > > <URL:http://tom.me.uk/clipboard/>
    > > Since I use an application for storing my passwords, I will have them
    > > in the clipboard at times. Were I to have IE open on a malicious page
    > > at the time, that password could be sent to the bad guy.

    >
    > I had a small iframe script which captured clipboard contents silently in
    > the background on my javascript page for a while, just for curiosity sake.
    >
    > It was quite amazing what I captured. Internal memos, passwords, IM chats,
    > emails, lots of code snippets, _lots_ of url's, etc.
    >
    > Along with disabling ActiveX and "Install On Demand", disabling the
    > clipboard feature in IE is one of the basic steps every IE user should take
    > to make their browsing more secure. Besides switching to Firefox, of course


    Boy, remind me to be very careful when visiting your sites!

    I'll add just one more method into the mix: If you install
    GreaseMonkey and then customize it per
    http://www.nabble.com/GM_sendKeys-t1421601.html, then using
    GM_sendKeys("^c",textarea) and GM_sendKeys("^v",textarea) does a copy
    and paste to the textarea. Of course any other GM script that you
    allow might be just as sneaky as Matt's site, so be careful...

    Csaba
     
    Csaba Gabor, Apr 13, 2006
    #12
  13. PMA

    Matt Kruse Guest

    Csaba Gabor wrote:
    > Boy, remind me to be very careful when visiting your sites!


    To be fair, it should be noted that the "experiment" was short-term, and
    followed up with a message to the user alerting them of the security problem
    in their browser. It was an experiment I did to prove how problematic this
    feature is, and to use that evidence to convince some administrators in
    several companies to disable the feature in all of their IE installations.

    --
    Matt Kruse
    http://www.JavascriptToolbox.com
    http://www.AjaxToolbox.com
     
    Matt Kruse, Apr 13, 2006
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    769
  2. Dan Bishop
    Replies:
    0
    Views:
    235
    Dan Bishop
    Aug 26, 2008
  3. Replies:
    4
    Views:
    270
    Randy Webb
    Dec 14, 2004
  4. Mahsha

    Clipboard - Copy Image To Clipboard

    Mahsha, Jun 1, 2009, in forum: Javascript
    Replies:
    1
    Views:
    587
    Thomas 'PointedEars' Lahn
    Jun 1, 2009
  5. Mahsha

    Clipboard - Copy Text To Clipboard

    Mahsha, Jun 1, 2009, in forum: Javascript
    Replies:
    3
    Views:
    654
    Thomas 'PointedEars' Lahn
    Jun 1, 2009
Loading...

Share This Page