No, it makes sense. "Copy this" buttons are common on websites, but probably require a button click to initiate. Since you clicked on a button, you provided the input necessary to copy to the clipboard.

Copying to the clipboard is unrestricted even without a click, but reading clipboard text requires a permission popup.

https://web.dev/async-clipboard/#security-and-permissions:~:...

This is exactly what I was thinking.

Theoretically, a bad actor could have a site or even inject code onto a site with an innocuous looking bash command, but upon copy injects say, rm -rf ~ \n

This can be done even without the clipboard API - See https://thejh.net/misc/website-terminal-copy-paste and further https://security.stackexchange.com/a/113630/96942

Seems like this requires you to select some text (which includes some text that's been hidden using CSS tricks) and copy it. So it's not like the website can just arbitrary write to your clipboard without your interaction? (Still, this is kinda scary and I didn't know about this.)

They can append the message to whatever you'll actually want to copy, which is how websites used to do things like this.

- Copied from https://news.ycombinator.com/item?id=26590437

Really interesting(and terrifying) reads, thank you.

The real bug is that \n pasted in to the terminal counts as hitting enter. iTerm has fixed this but every linux terminal I have used has this issue.

Every Linux terminal I've used has a pop-up when there's a new newline. Like this, which in this case is xfce4-terminal. [0]

[0] https://i.imgur.com/ubCXASQ.png

Same for Windows Terminal:

https://i.judge.sh/sentimental/Lotus/WindowsTerminal_fyi7k86...

Gnome-terminal, probably the largest by user base, does not sadly.

Huh, I've never gotten a prompt like that in Terminator.

Is it still possible to paste into vim, for example? If so, how does the terminal make the distinction?

Is it? When I click the "Write" button, it turns green, but when I click "Write (delayed)", after a while it turns red. So it seems (at least on Firefox 87) even the clipboard write API is restricted to user-action event handlers.

It’s also a privacy issue. Google’s Firebase Dynamic links is using it non-maliciously to survive app installs for deep linking(when the app is not installed it helps you redirect the user to the correct screen after the install), however any webpage can actually put something on your clipboard and match you on an app by reading your clipboard.

With iOS14 at least we can tell when apps are reading the clipboard.

Seems like a great method to social engineer people into copying to clipboard something that will install a trojan, get them to open a command prompt and paste it, in the general concept of curl piped into a shell.