What makes access to a system's clipboard a security vulnerablility?

I was about to get started on implementing a copy/paste feature in my web app but I found out that it's apparently not allowed. I am not too concerned with how to do it since it was an optional feature,开发者_运维百科 but I was curious about what really makes it a security concern. If someone could explain, I would really appreciate it.

If I could access your clipboard, what might I find? A password from keepassx? The last porn site you visited? Your SSN?

It's also quite obnoxious when sites used to copy stuff to your clipboard without your action, thus clearing the other stuff you had in your clipboard. Some sites used to do that to try to prevent right-click copying of images and, in the process, they wrecked general usage of the clipboard. This isn't a security issue so much as a denial-of-service attack on your clipboard.

It probably isn't a security issue if only plain text could be put on the clipboard, but modern operating systems can put all sorts of things on the clipboard, some of which can be pretty powerful objects. The scope of how a receiving application might interact with random internet content put on the clipboard without the consent of the viewer is far too complicated to easily defend against all possible interactions.

As for the other way around, it's no business of a random web-site to know what is on my clipboard. Web pages should clearly NOT be able to read content from the clipboard without the user's consent.

The browser is sand-boxed from the clipboard for the same reason it is from the rest of your system. What I have in my clipboard is none of your business and you have no business overwriting what is in my clipboard :)

Just like developers have no business looking through my files, executing code, or adding files to my system. The clipboard is just another part of the end-user's machine, which the web application does not belong in.

If you do want a web application to be able to access the clipboard, or do many of the other things that that a browser app is prevented from doing, you could look at porting the application to Adobe AIR. I have done so for certain things that required more than the browser could offer and it worked out great. It also alloed my users to use the application offline.

That said, there is a separate Clipboard API spec working draft for HTML5 in the works. http://dev.w3.org/2006/webapi/clipops/ I don't suspect that any browser is supporting it yet. And even if they eventually do, it will likely require user consent and be disabled by default.