Readit News logoReadit News
Posted by u/zagrebian 3 years ago
Chrome allows websites to write to the clipboard without the user’s permission
Steps to reproduce:

1. Visit https://webplatform.news/ in a Chromium-based browser

2. Inspect your clipboard (paste it somewhere)

zebracanevra · 3 years ago
From the chrome bug[0] it seems like this was changed to work without a gesture because the new tab page needs to copy text for a Google Doodle...

So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.

I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.

[0] crbug.com/1334203

kitsunesoba · 3 years ago
This is why a web and ad giant shouldn’t be in charge of the world’s most popular browser as well as the world’s most popular web engine. Huge conflict of interest.

Chrome should be spun off into a non-profit that is barred from Google/Alphabet influence.

lolinder · 3 years ago
It's worth pointing out that the commit that did this was made by a Microsoft employee who has been working on the clipboard API, not a Google employee.

At a glance and without very much context, it looks to me like this engineer was working on implementing Web Custom formats for the clipboard API [0], but broke the Google doodle sharing while doing so. It appears they were trying to restore old behavior as a temporary measure, but ended up breaking the checks altogether.

Their commit's comment[1] claims that the added variable should only be true if reading/writing a web custom format, but that obviously isn't the case (anymore?).

EDIT: Here is their original commit, which broke the doodle sharing: [2]. It extends the interaction requirement to custom formats, which wasn't true before. Their followup was meant to just undo that part of this commit, but appears to have done much more.

[0] https://chromestatus.com/feature/5649558757441536

[1] https://chromium.googlesource.com/chromium/src/+/4d7b74b051a...

[2] https://chromium.googlesource.com/chromium/src/+/a3b96a459cf...

stingraycharles · 3 years ago
Mozilla did some pretty nefarious things with Firefox as well though, for some marketing campaigns.

Not saying it’s worse, but it may not necessarily be due to Google also being an ad giant, but just corporations being corporations and having the wrong priorities.

n0n0n4t0r · 3 years ago
It was a reality named Firefox.

But then a concurrent solution happened and almost everyone moved to chrome.

The history is sad but true: it's the general indifference to those conflict of interest that led us here...

BbzzbB · 3 years ago
World's most popular mobile OS too. Used to push said browser, ripped of extensibility (I guess they couldn't blacklist ad blockers specifically).
swyx · 3 years ago
Google has sunk about $100m into developing Chrome. People need to expect to own things after making big investments. That's how any of this works.

dictate random policies like that and you will watch American capitalism die.

zetafunction · 3 years ago
Disclaimer: I am a Chrome developer, who formerly worked on the clipboard.

For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a fairly steady stream of requests from web developers to enable this. Eventually, Chrome did expose this gated behind a user gesture: https://chromestatus.com/feature/5223997243392000

> So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.

Ownership of the clipboard features has moved around a bit, and sometimes historical context around things like the user gesture requirement are lost. Here, the NTP doesn't actually need this to work without a user gesture. The correct fix here is to fix the NTP tests to correctly simulate a user gesture, not to allow writing to the clipboard without a user gesture.

> I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.

This is a difficult problem to fix. There are absolutely websites that abuse this. But there are also pages that do use the legacy clipboard API events in non-abusive ways (e.g. rich text editors), and blocking this outright would break legitimate uses as well.

Maybe something like a "copy as plain text" option would make sense...

dotancohen · 3 years ago

  > Maybe something like a "copy as plain text" option would make sense
That's ask I _ever_ want. I never want to copy rich text. I even have a background script that removes formatting from the clipboard every second, to make copying less frustrating.

Hide it in some hidden flag or something, but please, make plain text copying an option!

lupire · 3 years ago
All we need is "copy without running JavaScript". Just look at what is actually rendered, and copy that. And it should be the default.
userbinator · 3 years ago
Why do you call it a "user gesture" and not "consent" as it should absolutely be? Is it to reinforce the notion that users' actions are only to be taken as mere suggestions and ignored if they are contrary to your goals?
matheusmoreira · 3 years ago
> Don't you hate when news sites add a "- from XYZ" to your clipboard?

And then there's the "clever" sites that replace the text I copied with a message like "haha you thought you could copy this? think again sucker".

zebracanevra · 3 years ago
I feel like if you've selected some text, then pressing copy should always copy that text and nothing else.

But then: what's to stop websites from detecting you've selected text, unselecting it, and copying the bad text in, and then reselecting it...

There are so many loopholes I can imagine to get around these restrictions :(

blep-arsh · 3 years ago
Firefox has (had?) a flag to disable clipboard-related JS events but this flag is global and toggling it breaks copying from various rich text editors.
jacquesm · 3 years ago
That's pretty benign. Replacing it with "rm -rf /" would be a lot nastier. (And will teach people not to browse with root windows open ;) ).
ndriscoll · 3 years ago
> Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible.

I opened a bug with chromium when I first encountered that behavior ~10 years ago since it was an obvious security and privacy concern to me. Needless to say, the chromium devs didn't think it's an issue.

You would think browsers would ask permission for sites to do things like modify your clipboard, see when you copy/paste, track your mouse movements and text selections, etc. but google obviously isn't going to care about protecting the user from such things.

chalupa-man · 3 years ago
You don't need to modify the clipboard to do that, news sites were doing it long before the clipboard API existed. It's usually done with CSS, abusing display properties, positioning, font size, etc to make attributions a non-visible but still copied part of the text.
zzo38computer · 3 years ago
One thing that should be done is a user setting to configure this capability. If it is disabled then their copying to clipboard does not have any effect (this is not detectable by the web page), except if you push the key combinations (or menu items) to normally do so while the text is selected in which case only that text is copied to the clipboard. This also would affect which text can be selected, too, not only the clipboard. Disabling fonts also can be possible, etc.

(On my computer I usually disable the scripts so that it will not do such a things, but even if scripts are enabled, you might want to configure that feature too.)

BeefWellington · 3 years ago
Firefox does this via the setting:

    dom.event.clipboardevents.enabled

dawnerd · 3 years ago
A long time ago I developed a way to append that text you’re talking about as an in house feature so we didn’t have to use that service whose name is escaping me right now. Probably spent two weeks making it cross browser. It was fairly simple at the end of the day and didn’t require any exploits to the clipboard api, just some really good assumptions to and timing it just right to flip some selection. The hard part was restoring the users original selection without making it obvious. I still hate that I did this.
lapcat · 3 years ago
> Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.

There are browser extensions. For example, my own StopTheMadness on macOS and iOS:

https://underpassapp.com/StopTheMadness/

I'm going to work on this navigator.clipboard issue, because I find it unsettling, and I use Chrome quite a bit.

samatman · 3 years ago
Google search could put an end to that practice by having crawlers select and copy some text, and penalizing sites which gunk up the results.

Will they? Hah.

oefrha · 3 years ago
Relevant commit:

https://chromium.googlesource.com/chromium/src/+/4d7b74b051a...

  commit 4d7b74b051abfe5945f418601fdc2ffc8ce3072c
  Author: Anupam Snigdha <snianu@microsoft.com>
  Date: Tue Jun 07 16:36:28 2022

  [Clipboard API] Remove user gesture requirement for read/writeText.

  Adding user gesture requirement for readText and writeText APIs
  breaks NTP doodle sharing. We are relaxing this check for now, but
  we should fix this for sites to not rely on these APIs to be called
  without a user gesture.
  See NewTabPageDoodleShareDialogFocusTest.All test for more details.

RunSet · 3 years ago
Why is the headline about writing to the clipboard when reading FROM the clipboard without permission is much worse?

Clipboard should exist at the OS level and web browsers should be unable to distinguish it from keyboard input.

oefrha · 3 years ago
Because despite what the commit message seems to imply to someone unfamiliar with the Clipboard API, navigator.clipboard.readText triggers the clipboard permission prompt. writeText is different in that there's no permission to grant to begin with, it was only gated behind user interaction, which was lifted.
nextaccountic · 3 years ago
What is a NTP doodle? Is this related to chrome-search://local-ntp/doodles.js? (I can't see because I don't use chrome)

But chrome-search://local-ntp/doodles.js is served from a chrome-search:// url, chrome could give it permissions without giving for every web page

llacb47 · 3 years ago
New tab page google doodle
userbinator · 3 years ago
This is an excellent example of why attributing individual small contributions to your real-life identity online is not a good idea.
donclark · 3 years ago
This is what was in my clipboard:

Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.

userbinator · 3 years ago
Yet more vindication for those who disable JS and whitelist it only for a small subset of trusted sites. I should not need to run arbitrary code from a site just to be able to view text, images, and interact with forms.

I remember not long ago I got some confused looks from others for not using the "copy to clipboard" buttons that some sites (which I did trust enough to allow JS on) have around code blocks and the like. They were just as confused why I was not using that "useful feature" as I was why they didn't seem to realise that selection is a built-in feature of the browser that behaves (mostly) predictably and is available everywhere. I'd rather select the text myself than click a button that claims to do it for me.

jcparkyn · 3 years ago
I'm also a bit confused by that. Websites can already do just as many malicious things when you interact anywhere else with JS enabled, so I don't see the security argument. They can also quite trivially insert invisible text if they for some reason want you to copy something different than what's displayed.

The main reasons I use built-in copy buttons are: A) I don't end up with bits of whitespace at the start and end of the text if it wasn't formatted well on the website. B) Normal copy-paste in a browser will also copy a bunch of HTML formatting data, which I almost never want in a code snippet. I don't want to have to install an extension just to get plaintext.

ipaddr · 3 years ago
Or paste your text into notepad and re-copy and paste.

If you can figure out copying and pasting how hard is that?

unixbane · 3 years ago
The whitespace thing is a bug, too.
account-5 · 3 years ago
It can be a pain but this is how I traverse the internet. I get really annoyed with sites where I have to enable JavaScript to view text. I'm like both noscript and ublock advanced (not together), but much preferred umatrix when it was in development.
Am4TIfIsER0ppos · 3 years ago
You might already be aware of this but use the developer tools of the browser to check for "display: none" or "visibility: hidden" or "opacity: 0" style attributes on some html element (sometimes the <body> element)

Fucking web designers man!

mey · 3 years ago
Looks like this "works" on Android 13 Chrome as well. Had the nice little clipboard popup when something gets put on the clipboard with the expected message contents.

Doesn't happen on Firefox as expected.

Deleted Comment

codedokode · 3 years ago
This has a great potential for advertising. Everyone likes to get unique offers delivered into theirclipboards.

I think that copy/paste in browser should only be done with hotkeys like Ctrl + C/V or using menu. Sites should not have access to clipboard on click/tap because it is easy to misuse.

zelphirkalt · 3 years ago
Even better!: You can refresh the clipboard regularly, for as long as the user is on the page! That way, they'll get access to important notifications about our cool products, while they are coding or handling text in other ways!
phyzome · 3 years ago
At one point I recall a website that would quietly paste a Bitcoin address into the user's clipboard on every interaction. I'm sure this worked reasonably well for them -- who can tell that they've pasted the wrong string of garbage into a transaction UI?
unixbane · 3 years ago
This is why you don't break abstractions. If I'm a user I expect the clipboard to only change when I press ctrl+c or right click -> copy. These should be authoritatively controlled mechanisms that untrusted programs cannot override.

Going further, I want whatever I copy to be whatever I see when I hit copy. Which of course isn't possible in the interactive web.

But unfortunately devs for the last few decades think they can just leave everything undefined and change its meaning for their ad-hoc purposes every minute then claim computing is hard.

capableweb · 3 years ago
Because almost zero percent of cryptocurrency users blindly paste addresses into clients without at least double-checking it was actually the address they wanted to paste. Most of them are conditioned not to trust anything, and double-verify. If you're sending a large amount, you first send a small amount, verify it arrived to the correct address and then send the proper amount.

Verifying the "string of garbage" (which is actually a hash) is simply a matter of checking the first and last four characters, can be done in 10 seconds easily.

phyzome · 3 years ago
You have a great deal more faith in the competence, rigor, and patience of the average user than I do. (Let alone the 10th percentile user, which is who would be more likely hit.)