为什么在JS中写剪贴板到一个安全漏洞？ [英] Why is writing to the clipboard in JS considered a security hole?

问题描述

目前似乎没有使用大多数现代浏览器访问系统剪贴板的纯JavaScript方法，Internet Explorer是一个例外。关于其他许多堆栈溢出问题（例如，使用Javascript进行剪贴板访问-无Flash吗？）解释说，此限制是有意采取的安全措施，可防止网站从剪贴板读取密码或其他敏感数据。

It seems there is currently no pure JavaScript method for accessing the system clipboard using most modern browsers, Internet Explorer being an exception. On numerous other Stack Overflow questions (e.g., Clipboard access using Javascript - sans Flash?) it's explained that this limitation is a deliberate security measure to protect against web sites reading passwords or other sensitive data from the clipboard.

从剪贴板中读取会带来巨大的安全风险，但我不清楚为什么向写入剪贴板。拒绝JS禁止将数据复制到剪贴板的功能可以防止浏览器出现什么情况？

While it seems obvious that reading from the clipboard would be a huge security risk, it's not clear to me why writing to the clipboard would be. What scenario, if any, are browsers protecting against by denying JS the ability to copy data to the clipboard?

推荐答案

剪贴板是恶意网站（或网站中运行的其他代码，例如基于Flash的广告）诱骗用户传播恶意软件的一种方式。几年前，这种情况发生在基于Flash的广告上，该广告将恶意软件URL复制到剪贴板上，希望用户在打算粘贴其他内容时将其粘贴，从而污染了诸如Facebook帖子，论坛和电子邮件之类的内容。您可以粘贴指向某些偷渡式恶意软件的链接，而不是链接到Tilly姨妈的猫的照片。通常，这些都是您已感染病毒，请为我们的删除软件支付50美元是假的防病毒骗局。
我做了一些研究，因为很多ClipMate客户都在问为什么这些讨厌的URL突然出现在ClipMate中。在研究过程中，我遭到了MSNBC和DIGG上基于Flash的广告的攻击。剪贴板随后已在Flash 10中锁定。您可以在此处阅读有关我的传奇的更多信息： http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous

Writing to the clipboard is a way for malicious web sites (or other code running within sites, such as flash-based ads) to trick users into spreading malware. This happened a few years ago with flash-based ads that copied a malware URL onto the clipboard, in hopes that users would paste it when they intended to paste something else, thus polluting things like facebook posts, forums, and e-mail. Instead of a link to a photo of Aunt Tilly's cat, you'd paste a link to some drive-by malware. Typically these were the "you've been infected with a virus, pay us $50 for the removal software" fake antivirus scams. I did some research on it, as a lot of my ClipMate customers were asking why these nasty URLs were suddenly appearing in ClipMate. While researching, I was attacked by flash-based ads on MSNBC and DIGG. The clipboard has been subsequently locked down in Flash 10. You can read more about my saga here: http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous

我希望JavaScript的限制是防止类似的事情发生。

I expect that the JavaScript restriction is to prevent similar things from happening.

这篇关于为什么在JS中写剪贴板到一个安全漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！