Tess: the main security concern I have is that this a new way of exposing untrusted data (from the pasteboard)... In the answer to the questionnaire, they had a great answer to "what should this questionnaire have asked" - which was "does this spec compromise the user's system?" Their proposed mitigation is to put a permissiomn prompt over it. I don't think this is adaquate. People will just say yes because they won't understand the security implications. I'd like to see a more serious mitigation.

David: I agree that is not the sort of question you can explain to a user coherently.

Dan: this is a real dangerous thing because all kinds of info in the clipboard - private info - links, passwords, email addresses, etc...

David: we've always considered the ability to read from the clipboard without an explicit paste gesture to be a security veunerability.

Tess: Dan, why don't you and I each capture our concerns in the issue.

Dan: yes.

Dan: [case where safari prompts with a 2fa code to paste it in]

Tess: in the safari example, the web site doesn't see the 2fa code until the user makes an action to submit it.

[bumped a few weeks and we can pull it into f2f if appropriate

Tess: Not much has happened on our review. Hadley and I had a breakout on this at our F2F in Tokyo... this was a big topic on Friday at TPAC. Haven't seen the minutes from that; I believe it was an interesting discussion that ran late. I'd like to understand the outcome from that discussion.

... Never had a time to talk to Sam about this... just met him very briefly at lunch in Tokyo.

Hadley: I didn't get a chance to talk to anyone atbout this at TPAC either. Would be useful to find out what happened. This was still going on after I left.

Tess: I will try to dig up the minutes on this one.

Peter: Shall we bump this by a week?

Tess: A week sounds good.

Peter: Done.

Tess: We talked about this last week on the call, without having seen the minutes from the TPAC session, have since read these minutes

Tess: I did a very short summary of what I saw on slack the other day, basically, Gecko and WebKit engineers expressed concerns about the security/privacy implications of the API. And as a follow up I was trying to figure out if there was a Moz standards position on this, but there wasn't so I filed one.

Tess: The minutes were quite sparse so I would like to get a bit more info. I will make sure there is a link to the moz standards position issue from the TAG issue.

Dan: What are the main issues?

Tess: Main issue is security - the concern is that allowing web sites to write arbitrary typed concent to the paste board exposes the native apps to untrusted data that could lead to /sandbox escape/ to native apps.

Tess: One possible migiration is to expose the type of what is exposed, so that native apps by default wont read such data unless explicitly opting in. That seemed to be preferred by most people present, but doesn't work for integrating with existing apps that may never be updated.

Tess: Anne said that there had been some concensus the previous TPAC on a different solution that in my opinion sounded more promising.

Tess: One possible mitigation is instead of making it being opt in, would be to put writing to the paste board a permission prompt - but the opposition is that it is difficult explaining that to users.

Tess: I hope that Hadley has also looked at the minutes

Dan: Coming back to this I feel like that these issues have been raised before (looking at explainer) - the security issues are important what what I am most converned about is the notion that the user might have something on their clipboard that is privacy infringing (like password) and then some use switches tab and suddently a web page get access to this. Think about Slack for instance, like for me it has access to a lot, so switching to it might show an prompt.

Dan: I don't see this handled in the explainer - is that already a possibility with async clipboard? Why isn't this mentioned?

Ken: Can you add to the issue?

Dan: Yes, I can make that comme

Tess: Hadley, Dan and I did a breakout on this last week. we didn't get to the agenda item last week.

Dan: output captured in comments :

Tess: I looked into user gesture requirement. We (Safari) has a user gesture restriction. I don't think the spec mandates that.

Tess: re pickling, they had rejected this approach because native apps would have to opt in. I think the more pressing concern should be that adoption of other engines is unlikely because of the security risk.

Dan: no feedback yet - how can we progress?

Tess: at TPAC this was discussed in the editing task force - they may have regular calls. I will look into it.

Peter: we could close this with prejeduce as they're not being responsive. I'm concerned - if there is only one browser interested in this then it sounds like a bigger problem.

Lukasz: only one browser - GC - right? Do we have any formal power to give a failing grade?

Dan: give them one more week?

Dan: let some feedbac

Dan: I reached out to Alex Russell and Rick Byers 3 weeks ago and haven't heard back. Also no feedback from Darwin after my and Tess' feedback. Schedule for F2F and get them on the line or there in person?

Do we have visibility on whether these issues are being addressed?

Alice: Let me check whether I have gotten any email on the subject.

Dan: It poeple actually working in this or is it one of these issues that just fades away and wastes out time. Suggestion is to move this to F2F and I will press to get someone to join us.