The approach taken by a number of popular applications like GitHub and Dropbox is one that Novak describes. Flash objects embedded on a page can access the system clipboard. Till Flash 9, objects could anonymously read from and write data to the clipboard without the user initiating any action. This vulnerability resulted in attacks like this. Flash still allows clipboard access, but in version 10, needs an explicit user initiated action to do so.
While this greatly improves the user experience of copying text, I am not sure if hijacking the user’s interaction with a button and passing it on to a flash object whose presence the user is not aware of is the right thing to do.
An alternate approach to copying content
I have been thinking about alternate approaches to enabling the copy feature. The approach that I have zeroed in involves programmatically selecting the content that you want the user to copy and presenting this to the user. This is the approach that Google Maps uses.
This has two advantages:
- There is no clickjacking.
- This method allows the copying of richer content, for example HTML formatted content with a hyperlink. Depending on the application where the selected content is pasted, it would be treated as plain text or as rich text.
You can see this in action in the video below or the demo here:
If you have questions or comments about this blog post, you can get in touch with me on Twitter @sdqali.
If you liked this post, you'll also like...
- Implementing feature toggles for a Spring Boot application - Part 4
- Implementing feature toggles for a Spring Boot application - Part 3
- Implementing feature toggles for a Spring Boot application - Part 2
- Implementing feature toggles for a Spring Boot application - Part 1
- Setting up a secure etcd cluster behind a proxy
- Handling Deserialization errors in Spring Redis Sessions
- CSRF Protection with Spring Security and Angular JS
- Controlling Redis auto-configuration for Spring Boot Session
- JWT authentication with Spring Web - Part 5
- JWT authentication with Spring Web - Part 4
- JWT authentication with Spring Web - Part 3
- JWT authentication with Spring Web - Part 2
- JWT authentication with Spring Web - Part 1
- JSON logging for Spring applications
- Injecting dependencies into a Spring @Configuration
- Filtering responses in Spring MVC
- Deprecating domain events in Axon
- Programmable exit codes for spring command line applications - 2
- Programmable exit codes for Spring command line applications
- Using custom arguments in Spring MVC controllers
- Authentication for Apache Camel HTTP components
- Thoughts on Open Graph tags
- Integration testing Spring command line applications
- Integration testing challenges for non-web Spring applications
- How thinking of Documentation as Legislation helped me become a better programmer
- Implementing custom annotations for Spring MVC
- Validating RequestParams and PathVariables in Spring MVC
- Testing async responses using MockMvc
- Running multiple applications in the same Tomcat installation
- Making sense of Cloud Foundry security group declarations
- Configuring Cloud Foundry Java Memory Parameters
- Disputed territories and merging shapes and features
- A list of GIS tools
- Importing the Yelp dataset into MongoDB
- Clojure Dojo - Levenshtein edit distance
- A simple JMeter test with login
- Implementing Rate Limiting in Rails - Part 2
- Implementing Rate Limiting in Rails - Part 1
- Python Hack - Dynamically override an object's attribute
- Fitting an Image in to a Canvas object
- Accessing Environment Variables in Gradle
- Reading user input in Gradle scripts
- Ruby, Named Capture Groups and Local Variables
- Named Capture Groups in Regular Expressions
- Decomposing URLs in Python
- Shared history in Bash
- Managing Gemsets in Rbenv
- Looking up Compiler params used to compile a Ruby version
- Navigating Stacktraces in Emacs
- Python's bool type
- Graph databases 1 - Modeling
- Validating JSON in Emacs
- Emacs hack: Viewing Git logs while composing commit messages
- Configure Git's comment character
- My experience working remotely
- Oh I can build it in...
- Reducing Emacs startup time while committing
- My first Firefox plugin: GetCache - View cached version of the current page
- GetCache - A Chrome plugin to view cached version of the current page
- On REST, Content-Type, Google Chrome and Caching
- How Browsers Detect If You Are Offline
- D3.js Workshop
- Visualisation - How European clubs dominate their leagues
- XConf 6 - Data, My Heart!
- Understanding Python's "with" statement
- Heredocs in Ruby and Python
- Micro Journal - simple Git-backed journal in Python
- VodQA NCR: Maintaining Large Test Suites
- Know Your Tools - Don't Shoot Yourself in the Foot
- Managing security certificates from the console - on Windows, Mac OS X and Linux
- Indian and Pakistani cricketers - who make better debuts?
- Fixing Flyspell for Emacs in Mac OS X
- Finding un-merged commits with git cherry
- Bullet proof Jenkins setup
- Why your project should have a Getting Started guide.
- Debugging: C Sharp's HttpWebRequest, 100-Continue and nginx
- Wikipedia Page Hopping
- Empathy Log Parser
- Binary Signature Art
- Java Arrays in JRuby
- Autorun.py - Execute stuff on file change