Chrome allows websites to write to the clipboard without the user’s permission
Steps to reproduce:
1. Visit https://webplatform.news/ in a Chromium-based browser
2. Inspect your clipboard (paste it somewhere)
1. Visit https://webplatform.news/ in a Chromium-based browser
2. Inspect your clipboard (paste it somewhere)
193 comments
[ 87.9 ms ] story [ 4200 ms ] threadCan we all now say in unison: FILELESS MALWARE?
Oh, wait.
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
Doesn't happen on Firefox as expected.
Edit: to clarify, that is
WindowsVersion 1.42.97 Chromium: 104.0.5112.102 (Official Build) (64-bit)
Also, is there a way to patch this Chrome "feature"?
The user’s wallet software can detect these by warning the user that the contract address is unknown or never before seen by them.
Besides this is irrelevant. Websites have always been able to do what you're describing, because copying is a gesture. This bug doesn't change that.
Writing to it is super common for things like share links where clicking the button puts them in the clipboard.
So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.
I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
[0] crbug.com/1334203
(On my computer I usually disable the scripts so that it will not do such a things, but even if scripts are enabled, you might want to configure that feature too.)
And then there's the "clever" sites that replace the text I copied with a message like "haha you thought you could copy this? think again sucker".
But then: what's to stop websites from detecting you've selected text, unselecting it, and copying the bad text in, and then reselecting it...
There are so many loopholes I can imagine to get around these restrictions :(
There are also some sites that popup a small box above your selection with a share box. Straight to hell with those. Compulsive selectors go mad on those sites. That's you, medium.com.
Perhaps you want a RTE that doesn't depend on JS. I think that's a reasonable thing to want; but if you normally browse with JS switched off, then running into a working RTE is at least going to violate the Principle of Least Surprise.
Javascript knows about clicks, doubleclicks, hovers... like almost every interaction the user does. There are use cases but also potential to be exploited somehow.
My uBlock Origin filters stop them with extreme prejudice.
Couple of things
1. How do you focus a text field without a keyboard? Mouse or touch only? No TAB, no up/down keys for scrolling, no escape, etc.
2. You can disable all non text content in a web page. This was always possible
I can go on and on but what's the point?
Disabling JavaScript.
Or conversely, make the visible text “pointer-events: none” and it sits in front of the dangerous text.
Chrome should be spun off into a non-profit that is barred from Google/Alphabet influence.
Not saying it’s worse, but it may not necessarily be due to Google also being an ad giant, but just corporations being corporations and having the wrong priorities.
dictate random policies like that and you will watch American capitalism die.
Why don't you look to Europe instead?
“As a policy regime, it is described by academics as advocating economic and social interventions to promote social justice within the framework of a liberal-democratic polity and a capitalist-oriented mixed economy.”
Some of the world’s most successful countries are run that way.
It is called social democracy.
And even the modern monopolies... Gates and his mom getting him a deal with IBM is a bit different than someone else without a well connected mom.
And looking at tax rates companies like facebook pay, I think corruption is very well alive in USA too.
Option 1: the definition of "capitalism" requires that zero regulation be applied. In that case, abandon "capitalism" and replace it with whatever you'd call the same model but with regulation.
Option 2: a significant amount of regulation actually is enough alone to fatally destabilize capitalism. I do not believe this to be the case, but if it were, then it should very likely be abandoned, but it's difficult to know how other options might behave in this hypothetical universe.
If that is not the assumption then we can just make arbitrary claims about anything and calculate "drift"
Definitions have an inherently arbitrary component, sure. But stable, precise definitions are far easier to reason with than a shifting definition like "whatever the US is doing right now".
Dumping a ton of money down the toilet doesn't mean you own the toilet.
Only 100m?
Capitalism requires that the capitalists (who own for a living) are in control of the state, so it has little incentive to stop Google from messing with your system.
The only certain way to stop them is for workers (who work for a living, the majority of us) gain control of state power through a socialist revolution. Those historically are led by communists or similar.
So if you want control over your computer and ultimately life, join us in conspiring to overthrow capitalism.
I choose neither. Is there another alternative?
But it’s worth keeping in mind that the capitalists also control the media, school curriculums, academia (including economics and history), etc. It’s not hard for them to portray all socialist countries as far worse than they are, in order to discourage workers from rising up. And of course it is in the capitalists interest to do so.
I'd be even happier if governments treated small businesses the same as they treat large (mostly by making tax avoidance impossible, and making the large pay the same taxes as the small ones to), but that's practically impossible with the corruption in our governments.
You’re happier in a richer country, as are many of us Eastern Europeans that have been forced to emigrate. We could’ve been even happier in our own countries while having collective control over the means of production, but the (foreign) capitalists made sure that wasn’t possible through propaganda, coups, sanctions and invasions.
I haven't moved, I still live in the same city, the country is the one that doesn't exist anymore.
That's one of my explicit goals, so good.
I'm from a former socialist country (both former socialist, and former country, since neither exist anymore).
It was when he wanted to own Ukraine that it rose to the level of significant intervention by the outside world.
At a glance and without very much context, it looks to me like this engineer was working on implementing Web Custom formats for the clipboard API [0], but broke the Google doodle sharing while doing so. It appears they were trying to restore old behavior as a temporary measure, but ended up breaking the checks altogether.
Their commit's comment[1] claims that the added variable should only be true if reading/writing a web custom format, but that obviously isn't the case (anymore?).
EDIT: Here is their original commit, which broke the doodle sharing: [2]. It extends the interaction requirement to custom formats, which wasn't true before. Their followup was meant to just undo that part of this commit, but appears to have done much more.
[0] https://chromestatus.com/feature/5649558757441536
[1] https://chromium.googlesource.com/chromium/src/+/4d7b74b051a...
[2] https://chromium.googlesource.com/chromium/src/+/a3b96a459cf...
But then a concurrent solution happened and almost everyone moved to chrome.
The history is sad but true: it's the general indifference to those conflict of interest that led us here...
I opened a bug with chromium when I first encountered that behavior ~10 years ago since it was an obvious security and privacy concern to me. Needless to say, the chromium devs didn't think it's an issue.
You would think browsers would ask permission for sites to do things like modify your clipboard, see when you copy/paste, track your mouse movements and text selections, etc. but google obviously isn't going to care about protecting the user from such things.
There are browser extensions. For example, my own StopTheMadness on macOS and iOS:
https://underpassapp.com/StopTheMadness/
I'm going to work on this navigator.clipboard issue, because I find it unsettling, and I use Chrome quite a bit.
For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a fairly steady stream of requests from web developers to enable this. Eventually, Chrome did expose this gated behind a user gesture: https://chromestatus.com/feature/5223997243392000
> So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.
Ownership of the clipboard features has moved around a bit, and sometimes historical context around things like the user gesture requirement are lost. Here, the NTP doesn't actually need this to work without a user gesture. The correct fix here is to fix the NTP tests to correctly simulate a user gesture, not to allow writing to the clipboard without a user gesture.
> I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
This is a difficult problem to fix. There are absolutely websites that abuse this. But there are also pages that do use the legacy clipboard API events in non-abusive ways (e.g. rich text editors), and blocking this outright would break legitimate uses as well.
Maybe something like a "copy as plain text" option would make sense...
Wow, rude.
One possible answer to your question: there is no way for a browser to detect "consent", which is a subtle and nuanced concept, but user gestures have a hard and fast definition, so that's the proxy they use.
The number of sites that reasonably need to know when I copy/paste or need to override what happens when I do that is approximately zero. There's no reason to allow it by default for all sites.
Currently (until this bug) it’s supposed to trace back the call stack to the event that triggered it, and only allow it if the triggering event is something like a click. That’s what’s meant by “user gesture”, the opposite of code triggering it independently of the user.
“Consent” would be a positive acceptance in a browser controlled message box asking for permission to use the clipboard.
Most people agree that for copying to the clipboard the first is all that’s needed (there isn’t really a security concern here), for pasting from the clipboard the later is always required.
See the other discussion here: https://news.ycombinator.com/item?id=32614839
I would argue the actual vector is in the terminal, it should really validate the clipboard content.
Hide it in some hidden flag or something, but please, make plain text copying an option!
So bloody annoying, thanks Microsoft for continuing to make my life harder than it needs to be.
But all the other styling? The fonts, the colors, stuff like that that isn't in markdown? Nobody wants that.
Google is deeply philosophically opposed to doing that. Power users are a distraction from the billions of normal users.
Will they? Hah.
https://chromium.googlesource.com/chromium/src/+/4d7b74b051a...
But chrome-search://local-ntp/doodles.js is served from a chrome-search:// url, chrome could give it permissions without giving for every web page
If you look at the commit comment, it indicates that they understood they were only disabling the checks for the new clipboard feature they were working on, not for all clipboard actions.
Clipboard should exist at the OS level and web browsers should be unable to distinguish it from keyboard input.
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
I remember not long ago I got some confused looks from others for not using the "copy to clipboard" buttons that some sites (which I did trust enough to allow JS on) have around code blocks and the like. They were just as confused why I was not using that "useful feature" as I was why they didn't seem to realise that selection is a built-in feature of the browser that behaves (mostly) predictably and is available everywhere. I'd rather select the text myself than click a button that claims to do it for me.
Fucking web designers man!
The main reasons I use built-in copy buttons are: A) I don't end up with bits of whitespace at the start and end of the text if it wasn't formatted well on the website. B) Normal copy-paste in a browser will also copy a bunch of HTML formatting data, which I almost never want in a code snippet. I don't want to have to install an extension just to get plaintext.
If you can figure out copying and pasting how hard is that?
The only argument I can see for this is if you already have JS disabled.
I am torn between the usability vs security of this issue.
By default, you can copy to clipboard in all the major browsers when user takes an action, like click some buttons or links. So all these "copy code" buttons won't stop working. What does not in Firefox (and shouldn't in Chrome) is to do so without user's action.
Note: I have no idea what the rigid definition of "user's action" is. But clicking a button counts.
I think that copy/paste in browser should only be done with hotkeys like Ctrl + C/V or using menu. Sites should not have access to clipboard on click/tap because it is easy to misuse.
Verifying the "string of garbage" (which is actually a hash) is simply a matter of checking the first and last four characters, can be done in 10 seconds easily.
Going further, I want whatever I copy to be whatever I see when I hit copy. Which of course isn't possible in the interactive web.
But unfortunately devs for the last few decades think they can just leave everything undefined and change its meaning for their ad-hoc purposes every minute then claim computing is hard.