Helical Alpha Code

clip: no, virginia, IE is not secure

At one time (IE4, I believe) access to clipboard contents was denied IE scripts unless that content originated in IE (ref). However, that is no longer the case, and has not been since IE6 or even earlier. (I use only secure browsers, so I haven't been able to pinpoint when this vulnerability entered the scene.) The system clipboard is eminently accessible via the JavaScript clipboardData object.

Don't believe me? Try installing clip on your site. All you have to do is give it a writable directory (on most servers, 633 should do it) for its logfiles and it's good to go.

Any page that loads "clip.php" as a JavaScript will be tested for the insecurity. If the insecurity exists, the clipboard contents will be encoded as a GET request and shipped back to the server via an autogenerated script tag. (Someone with a bit of AJAX knowledge could easily write a function to POST this back, avoiding the 2,500–3,000 character limit of most browsers' GET implementations. However, I'm not to be bothered testing for the various XMLHTTP implementations and trying to POST out of the correct one.)

What I recommend is including a line like:

RewriteRule ^clip\.js(\?x=.*) scripts/clip.php$1 [L]

in your .htaccess so that the script can play along as if it really were a discrete JavaScript. However, only fairly old browsers (and ones that don't have this hole implemented, I might add) reject JavaScript files not bearing the .js extension, so you should be fine either way. I'm just persnickety about that sort of thing.

clip | Download Source