Stronger Default Security Settings for Script Access to the Clipboard in Internet Explorer 7

Article
11/16/2006

Sunava Dutta
Microsoft Corporation

August 30, 2006

Introduction

New security related updates for Windows Internet Explorer 7 include a change in the default security settings for script access to the Clipboard. Pages that use script to access the clipboard will behave differently. Sites using script to access the Clipboard in the Internet and Trusted sites zones will see a prompt that informs the user that their Clipboard is being accessed by script (Figure 1). The prompt requires user intervention to continue. This is designed to prevent the risk, even if remote, of information disclosure through script access to the clipboard. An example exploit can be created by using script on a page to read and retrieve the current contents of your clipboard that may not be intended for that page. Past mention of potential exploits for this feature can be found on the CVE Web site.

Figure 1. Clipboard security alert dialog box

Figure 1. Clipboard security alert dialog box

This article discusses how to address the compatibility impact of these changes in Internet Explorer 7.

Understanding the Compatibility Impact

Symptom

Your page prompts with the dialog box shown in Figure 1.
Your application hosting the WebBrowser control prompts with the dialog box shown in Figure 1.

Cause

Script is trying to access the contents of the Clipboard. Many Web pages use script to copy content to or from Clipboard. JScript provides several Clipboard related methods.

execCommand (using the cut, copy, paste, and insertParagraph command identifiers)
clipboardData.getData
clipboardData.setData
clipboardData.clearData

Historically, pages used script with the Clipboard for a variety of reasons.

Using script for digital rights management on the Clipboard.
Using script to sanitize content, for example, removing commas, slashes, and other characters. In many cases, this may not seem obvious to the user because the user tried to use the keyboard shortcuts (CTRL-C, CTRL-V, etc.) to copy and paste content.
Using script with buttons for actions like cut, copy, and paste instead of keyboard shortcuts.

By default, the user is prompted in the Internet and Trusted sites zones.

How to Minimize the Compatibility Impact

Internet options

To work around this security control feature, start Internet Explorer 7. Click Tools, and then click Internet Options. Click the Security tab, and Internet, and then click Custom Level. Under Scripting, click Enable for Allow Programmatic clipboard access .

NOTE We do not recommend this workaround because sensitive information on your Clipboard such as your passwords can be disclosed.

Figure 2. Internet Option dialog box

Figure 2. Internet Option dialog box

You may not be able to change this security control feature if your administrator has policy enabled the setting.

Web pages

Avoid using script that accesses the Clipboard whenever possible.

Applications hosting the WebBrowser control

Feature Control Key

We have created a security feature control key that applications that host the WebBrowser control can use. If the application (such as MSN Explorer) uses this feature control key, it will be able to "opt-into" our security mitigation and will prompt prompt each time script accesses the Clipboard. To use this feature, the application must have its process name added to the registry key for the feature control.

By default, the feature control key is enabled.

For example, to enable prompting for script access to the clipboard for the Current User or Local Machine, set the following registry key to 0 for your application process name.

  HKEY_CURRENT_USER (or HKEY_LOCAL_MACHINE)
   SOFTWARE
      Microsoft
         Windows
            Internet Explorer
               Main
                  FeatureControl
                    Feature_Enable_Script_Paste_URLAction_If_Prompt 
                       Your application.exe = (DWORD) 0

You may not be able to change this security control feature if your administrator has policy enabled the setting.

execCommand and Custom Security Manager

The document object has an execCommand method that you can also use to perform cut, copy, and paste operations. This method provides you with the same security restrictions as before, but it delegates to your custom security manager, if one exists. This is appropriate if you are running script that initiates the operations. See custom security manager for more information. This approach allows for applications hosting the WebBrowser control to opt out of the security fix.

IOleCommandTarget::Exec

If you are hosting binary code, using IOleCommandTarget::Exec is the ideal approach for cut, copy, and paste operations. All security checks are avoided for binary callers.

Group Policies

Administrators can also control over this security feature through Group Policy.

To control settings for script access to the Clipboard, use the policy named Allow cut, copy or paste operations from the clipboard via script. It should be located in the path:

Local Computer Policy/{User Configuration, Computer Configuration}/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/{Zone}
To control permissions for script access to the Clipboard on the computer for applications that host the WebBrowser control, we also have a policy named Enable cut, copy or paste operations from the clipboard if URLACTION_SCRIPT_PASTE is set to Prompt.

The paths for this policy are:

Local Computer Policy/Administrative Templates/Windows Components/Internet Explorer/Application Compatibility

and

User Configuration/Administrative Templates/Windows Components/Internet Explorer/Application Compatibility

About the author

Sunava Dutta is a program manager on the Internet Explorer team.