[RFC wayland-protocols v4] Add Primary Selection Protocol Version 1

Carlos Garnacho carlosg at gnome.org
Mon Feb 22 18:23:13 UTC 2016 

Hi Michal,

On Mon, Feb 22, 2016 at 4:53 PM, Michal Suchanek <hramrach at gmail.com> wrote:
> On 22 February 2016 at 15:57, Carlos Garnacho <carlosg at gnome.org> wrote:
>> Hi Michal,
>>
>> On Mon, Feb 22, 2016 at 2:25 PM, Michal Suchanek <hramrach at gmail.com> wrote:
>>> Hello,
>>>
>>> On 20 February 2016 at 01:31, Carlos Garnacho <carlosg at gnome.org> wrote:
>>>
>>>> +
>>>> +  <description summary="Primary selection protocol">
>>>> +    This protocol provides the ability to have a primary selection device to
>>>> +    match that of the X server. This primary selection is a shortcut to the
>>>> +    common clipboard selection, where text just needs to be selected in order
>>>> +    to allow copying it elsewhere. The de facto way to perform this action
>>>> +    is the middle mouse button, although it is not limited to this one.
>>>> +
>>>> +    Clients wishing to honor primary selection should create a primary
>>>> +    selection source and set it as the selection through
>>>> +    wp_primary_selection_device.set_selection whenever the text selection
>>>> +    changes. In order to minimize calls in pointer-driven text selection,
>>>> +    it should happen only once after the operation finished. Similarly,
>>>> +    a NULL source should be set when text is unselected.
>>>> +
>>>> +    wp_primary_selection_offer objects are first announced through the
>>>> +    wp_primary_selection_device.data_offer event. Immediately after this event,
>>>> +    the primary data offer will emit wp_primary_selection_offer.offer events
>>>> +    to let know of the mime types being offered.
>>>> +
>>>> +    When the primary selection changes, the client with the keyboard focus
>>>> +    will receive wp_primary_selection_device.selection events. Only the client
>>>
>>> Why keyboard focus?
>>>
>>> Since paste is done mainly using mouse this has nothing to do with
>>> keyboard focus.
>>
>> Doing this so allows us to behave just the same than we do with the
>> core protocol selection, slightly divergent protocols make sharing
>> code harder.
>>
>> Conceptually, it also makes some sense to me. I argue that a logical
>> "key" focus is needed in compositors, even on lack of wl_keyboard
>> capabilities. Things that IMO make sense to tie together in this
>> focus, per-seat are:
>> - wl_keyboard focus
>> - wp_text_input focus
>> - focus por (possibly several) pads/buttonsets
>> - clipboard selection
>> - primary selection
>>
>> Of course these are only guidelines, and compositors may attempt to
>> implement split foci for these. But still, selection should be tied to
>> some definite focus, the other option is broadcasting, and I'd very
>> much prefer not to do that.
>>
>> I may try to change the wording just to suggest it's loosely attached
>> to keyboard focus though.
>
> If you put an Insert sticker on your pad button and bind pasting to
> that pad button and the pad focus is not tied to keyboard focus you
> have potentially a problem there.

Right, that's why I suggest having those reunited in a single logical
focus. Anything else is plagued of corner cases.

>
>>
>>>
>>>> +    with the keyboard focus will receive such events with a non-NULL
>>>> +    wp_primary_selection_offer. Across keyboard focus changes, previously
>>>> +    focused clients will receive wp_primary_selection_device.events with a
>>>> +    NULL wp_primary_selection_offer.
>>>> +
>>>> +    In order to request the primary selection data, the client must pass
>>>> +    a recent serial pertaining to the press event that is triggering the
>>>> +    operation, if the compositor deems the serial valid and recent, the
>>>
>>> Why press event when it has an offer event to base the request on?
>>>
>>> There is no need to involve other unrelated events.
>>
>> IIRC The first protocol drafts attempted to limit the circumstances in
>> which a client could read the primary selection. This is a change of
>> approach.
>>
>>>
>>> IMHO the fact that the application receives ANY input event suffices.
>>> eg. a pointer entry event.
>>
>> Do you mean wl_pointer.enter should be enough to have the application
>> read the primary selection? seems open to data leaks to me.
>>
>> This serial event is meant to check for user interaction rather than
>> "any input event", so just focusing a client is not enough to have it
>> retrieve the primary selection.
>
> And why is clicking enough and focusing not?
>
> Accidentally clicking an application can happen as much as
> accidentally pointing at it.

Citation needed :). Windows can be certainly arranged so that it's not
possible to move the pointer between app A and B without going through
a third application. The problem with doing this on pointer focus is
that situations like this come off the very nature of a 2D compositor.
Tying this to user interaction kills most of the concerns here, the
situation where the user accidentally clicks on an app that happens to
be malicious and request the clipboard on any interaction should be
unlikely enough, plus it'd make a lousy malicious app.

> With touch interface it's pretty much the
> same thing. With click-to-focus also. If you want to prevent data
> leaks you can unmap windows that should not receive the paste or use a
> compositor with per-application access policy for clipboards.

Those are all compositor dependent policies, I think something should
be done at the protocol level.

>
> So instead of saying that a button down event should trigger paste in
> the protocol specification

Nothing like that is mentioned. Wording is deliberately ambiguous as
to which event triggers primary selection paste.

> it is wiser to say that sending the paste
> offer to a client can happen at the discretion of the compositor and
> suggest some reasonable policy.

What is unreasonable about serial checking?

>
> Compositor should be free to implement any policy the author finds
> reasonable including broadcast on selection change, point to paste,
> button press to paste, and per-application different policies.

So you want the protocol to be purposely ambigous on data leak situations?

Let's take the most extreme case, primary selection can be broadcasted
and clients can be free to read data right away. You've just allowed
compositors to replicate all the flaws of X11 primary selection.

Cheers,
  Carlos

More information about the wayland-devel mailing list