I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.
This is because the Firefox preference is useless - it only disables the clipboard events, but not the clipboard access from any other event. So the demo simply hooks the keydown event instead. Have a look at the source, it's really quite straightforward.
What browsers really should have are a standard "Ask & Whitelist" dialog for all of these security critical features[1]. It seems Firefox even used to have this feature, but it and the corresponding addon have long since crumbled to dust[2].
Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.
[1] There's many more, including utterly ridiculous stuff such as telling websites the battery charge status of your device (and if your charger is plugged in): https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
They had a pretty useful per-site configuration mechanism that wasn't UI-configurable so someone started to make a UI for it, but then some higher-up decided they should remove the whole thing completely! The screenshots they have there look so awesome:
> Unfortunately browsers are no longer controlled by hackers who think about all the implications of a feature, but by corporations who think about money, and us hackers have to spend inordinate amounts of time trying to play security whack-a-mole, or be forced to give up and use our browsers like sheep, the way the corporations want us to.
FWIW, the features that this uses have their origins in proprietary IE5 features (maybe 5.5?). Whether this attack works in IE5 I leave as an exercise to someone else.
Note that the tradeoffs are more complex than what one might naïvely assume: people weren't using the feature as it existed in Firefox before because it required explicit user interaction, but doing the same thing through Flash didn't… so everyone just used Flash. In effect, this is a security bug the platform has long had (because, like it or not, de-facto the web platform for the longest time included Flash). Now, should we blindly copy everything Flash can do? Of course not. But if something is making people hold on to Flash, we really should consider the tradeoffs. Are we just gaining theoretical superiority but practical irrelevance (on desktop at least; mobile where Flash is gone is a different story)?
> I just turned this preference off in Firefox, and it didn't stop the demo from working, which makes sense since the preference says it only disables oncopy/cut/paste events, and this demo uses a different method.
Oncopy is a named javascript event type that triggers when you copy the text of an element.
This method is more sophisticated; it monitors the whole page for copy commands, and has an event listener watching to see when this 'copy' command is executed.
