[Spice-devel] RFC [spice-gtk] session: Allow to delay sending clipboard to the guest

Frediano Ziglio fziglio at redhat.com
Thu Jan 11 13:10:39 UTC 2018


> 
> Hi
> 
> ----- Original Message -----
> > On Tue, Jan 09, 2018 at 12:16:33PM -0500, Marc-André Lureau wrote:
> > > I think it's problematic for traditional applications as well.
> > > clipboard access is probably going to be limited by default and only
> > > accessed through so-called "portals", just like file access etc. This
> > > topic should be brought on desktop / flatpak mailing list.
> > 
> > Maybe in some distant future, all applications everyone is running will
> > be flatpak, and will be using portals to improve security. The same
> > thing can be said regarding wayland, which does not have this issue.
> > Some time in the future, this will become a non-issue. However, solving
> > this now on x11 is definitely not something which should be related to
> > portals/flatpak in my opinion.
> 
> I propose a --spice-disable-clipboard, and client UI to switch on/off
> clipboard sharing functionality.
> 
> Something different will likely break some clipboard users or lower
> experience.

If we consider this a security threat than default should be disabled
and there should be a --spice-enable-clipboard. Note that the default
option apply to different tools (like virt-manager and boxes).

If we decide to go to the on/off options I would see some options

- default on (like now). The user should be prompted that there's
  a security issue and confirm to have understood. Without that
  prompt and knowing the issue spice could be potentially considered
  not that secure to use. That means the confirmation should be saved
  in order to avoid prompting it every time;
- default off. We could say nothing but I think the user would be
  quite frustrated as without any message and with just an update
  copy&paste won't work. We could give the user a prompt also in
  this case. This seems more secure, if user does not read the
  message and click "ok" the data can be leaked.

>From user experience and customer feeling somebody could complain
that the vmware default (c&p only with focus like Christophe patch
is supposed to do) is quite good and does not require manually
enable/disable that making really easy to use.

>From implementation details the off and focus options would require
some code to make c&p not work (always or on conditions) so I
think we could agree on a patch implementing on/off on the code.
As already understood the agent couldn't force a read of remote
clipboard if disable (or the guest could do a polling of the changes).

I personally agree with Christophe about not using portals for now
and on the focus option.

Frediano


More information about the Spice-devel mailing list