From the chrome bug[0] it seems like this was changed to work without a gesture because the new tab page needs to copy text for a Google Doodle...
So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.
I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
This is why a web and ad giant shouldn’t be in charge of the world’s most popular browser as well as the world’s most popular web engine. Huge conflict of interest.
Chrome should be spun off into a non-profit that is barred from Google/Alphabet influence.
It's worth pointing out that the commit that did this was made by a Microsoft employee who has been working on the clipboard API, not a Google employee.
At a glance and without very much context, it looks to me like this engineer was working on implementing Web Custom formats for the clipboard API [0], but broke the Google doodle sharing while doing so. It appears they were trying to restore old behavior as a temporary measure, but ended up breaking the checks altogether.
Their commit's comment[1] claims that the added variable should only be true if reading/writing a web custom format, but that obviously isn't the case (anymore?).
EDIT: Here is their original commit, which broke the doodle sharing: [2]. It extends the interaction requirement to custom formats, which wasn't true before. Their followup was meant to just undo that part of this commit, but appears to have done much more.
Mozilla did some pretty nefarious things with Firefox as well though, for some marketing campaigns.
Not saying it’s worse, but it may not necessarily be due to Google also being an ad giant, but just corporations being corporations and having the wrong priorities.
That was such a strange choice by Mozilla, I mean the plug-in was specifically for people who play the Mr Robot game. Even after Mozilla force-pushed it to their entire user base players still had to manually enable it to play. If the whole damn thing required manual intervention anyway why didn’t they just put it in the addon store to start with?!
consider going librewolf instead, if your concern is security. I personally use librewolf for most things and brave for the few things that don't work well on firefox in linux (i.e. playing video from my nvr, my realtor website's 3d floor plan walkout, etc). Floccus and bitwarden keep bookmarks and passwords synced between the two so I barely notice which one I am using.
This is true. Russia is in fact a good case study of late-stage capitalism. You see, in American capitalism, everyone started equally and then had to build up to their monopoly positions today. In Russia, some people just started out with monopoly positions, due to corruption. So if we want to see what happens due to monopoly positions, we can just look there.
Americans all started equally? You sure, that the early comers, to america, who got huge amounts of land and resources started equally to irish and itallian immigrants?
And even the modern monopolies... Gates and his mom getting him a deal with IBM is a bit different than someone else without a well connected mom.
And looking at tax rates companies like facebook pay, I think corruption is very well alive in USA too.
“As a policy regime, it is described by academics as advocating economic and social interventions to promote social justice within the framework of a liberal-democratic polity and a capitalist-oriented mixed economy.”
Some of the world’s most successful countries are run that way.
Perhaps when make a similar comment in future you could expand a bit and sketch out a possible alternative to that of people being free to to trade things of value with other people under the aegis of a dynamic regulatory system? I guess you mean a specific meaning of 'capitalism' but the nature of that is not clear at all.
Option 1: the definition of "capitalism" requires that zero regulation be applied. In that case, abandon "capitalism" and replace it with whatever you'd call the same model but with regulation.
Option 2: a significant amount of regulation actually is enough alone to fatally destabilize capitalism. I do not believe this to be the case, but if it were, then it should very likely be abandoned, but it's difficult to know how other options might behave in this hypothetical universe.
I'm looking at this from an economics study view, not a public policy view.
Definitions have an inherently arbitrary component, sure. But stable, precise definitions are far easier to reason with than a shifting definition like "whatever the US is doing right now".
Capitalism requires that the capitalists (who own for a living) are in control of the state, so it has little incentive to stop Google from messing with your system.
The only certain way to stop them is for workers (who work for a living, the majority of us) gain control of state power through a socialist revolution. Those historically are led by communists or similar.
So if you want control over your computer and ultimately life, join us in conspiring to overthrow capitalism.
The opposite throughout history seems to be the State becomes both the government, and those who “own for a living”. You go from a mixture of corrupt powers to one corrupt, almost absolute power.
That can happen, but it’s debatable how common it has been historically.
But it’s worth keeping in mind that the capitalists also control the media, school curriculums, academia (including economics and history), etc. It’s not hard for them to portray all socialist countries as far worse than they are, in order to discourage workers from rising up. And of course it is in the capitalists interest to do so.
As someone who has lived in this kind of a system in a country that doesn't exist anymore, I'd be (and am) a lot happier in a capitalist system, where workers can choose anytime to create their own budiness without the government owning it.
I'd be even happier if governments treated small businesses the same as they treat large (mostly by making tax avoidance impossible, and making the large pay the same taxes as the small ones to), but that's practically impossible with the corruption in our governments.
Workers need capital to create a business. They can’t gain capital while the majority of the surplus they create through labour is taken by capitalists.
You’re happier in a richer country, as are many of us Eastern Europeans that have been forced to emigrate. We could’ve been even happier in our own countries while having collective control over the means of production, but the (foreign) capitalists made sure that wasn’t possible through propaganda, coups, sanctions and invasions.
Many, many businesses need very little capital to start, less than a price of a car, that most of the people complaining about that, are currently driving.
I haven't moved, I still live in the same city, the country is the one that doesn't exist anymore.
The way I see it is that forms of socialism and communism are true democracies in that when everyone is part of the state we should all have equal say, an equal vote in deciding policy
Google has achieved high economies of scale in many areas but mainly in skirting taxation and government regulation. That's corrupt cronyism, not capitalim. The positive quality of capitalism is it's efficiency, good luck finding that inside bureaucratic google.
Capitalism requires competition and there is little competition in anything google does. That's in large part due to how heavily "subsidized" they became thanks to governments "overlooking" blatant tax avoidance.
Putin has invested significant resources into owning Ukraine, too, so if people have a right to own whatever they invest significant resources into, then Putin has a right to own Ukraine.
Yes, but (continuing the argument) the rest of the world has also invested significant resources into Ukraine to counter his ownership claim (in a way that never really happened while he was solidifying his hold on Russia).
Disclaimer: I am a Chrome developer, who formerly worked on the clipboard.
For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a fairly steady stream of requests from web developers to enable this. Eventually, Chrome did expose this gated behind a user gesture: https://chromestatus.com/feature/5223997243392000
> So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.
Ownership of the clipboard features has moved around a bit, and sometimes historical context around things like the user gesture requirement are lost. Here, the NTP doesn't actually need this to work without a user gesture. The correct fix here is to fix the NTP tests to correctly simulate a user gesture, not to allow writing to the clipboard without a user gesture.
> I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
This is a difficult problem to fix. There are absolutely websites that abuse this. But there are also pages that do use the legacy clipboard API events in non-abusive ways (e.g. rich text editors), and blocking this outright would break legitimate uses as well.
Maybe something like a "copy as plain text" option would make sense...
> Maybe something like a "copy as plain text" option would make sense
That's ask I _ever_ want. I never want to copy rich text. I even have a background script that removes formatting from the clipboard every second, to make copying less frustrating.
Hide it in some hidden flag or something, but please, make plain text copying an option!
Right? I think, in 25+ years of computing, I have never once wanted to paste rich text. Ever. I just want to paste the text! Yet every time, I have to either fumble for the "paste and match style" key combo, or fix things afterwards.
FWIW, I actually have wanted that, usually when I'm copying a chunk of text and I want to keep inline hyperlinks intact. I'm not sure I want that more often than I want a plain text option that strips out all the formatting, but it does come up.
The trick is that 99% of the time I want Markdown. That is, I want hyperlinks, bullets, headers, strong, etc. to stay hyperlinks, bullets, headers, etc.
But all the other styling? The fonts, the colors, stuff like that that isn't in markdown? Nobody wants that.
Don't most apps allow you to paste plain text with Ctrl+Shift+V nowadays? That's what I almost always use, unless I have some use for the copied rich text.
Annoyingly the GitHub comment box doesn't. Incredibly frustrating to copy someones name from the GitHub webpage and paste it and it pastes as a markdown link which doesn't trigger a mention.
Sure, it depends on `xclip`, which you might need to install, and `perl` which you probably already have. I only run it while I'm actually copying and pasting as I don't like leaving loops running, that said, with the 1 second sleep it's really not so bad.
#!/bin/bash
while true ; do xclip -sel primary -o | perl -pe 'chomp if eof' | xclip -sel primary ; sleep 1 ; done
Note that this affects only the primary selection, e.g. the copy-on-highlight and paste-on-middle-click clipboard. I hardly ever use the rodent, but when I do, this is what I use it for. You could easily adapt the script to the Ctrl-C Ctrl-V clipboard.
Then make it a regular option. My point was that _if_ it's not deemed important enough to expose a UI option for, at least let make it possible some other way.
I’ve remapped ⌘V on my work laptop to paste as plain text which works great everywhere except Outlook, which disables that in email metadata (recipients, subject).
So bloody annoying, thanks Microsoft for continuing to make my life harder than it needs to be.
Better than Gmail which automatically parses text on paste, and, as the cherry on top, even when it recognizes that and alerts on a failed parse (making a red chip), refuses to let you edit the text to fix it.
Why do you call it a "user gesture" and not "consent" as it should absolutely be? Is it to reinforce the notion that users' actions are only to be taken as mere suggestions and ignored if they are contrary to your goals?
"user gesture" and "consent" are two completely different things.
Currently (until this bug) it’s supposed to trace back the call stack to the event that triggered it, and only allow it if the triggering event is something like a click. That’s what’s meant by “user gesture”, the opposite of code triggering it independently of the user.
“Consent” would be a positive acceptance in a browser controlled message box asking for permission to use the clipboard.
Most people agree that for copying to the clipboard the first is all that’s needed (there isn’t really a security concern here), for pasting from the clipboard the later is always required.
> Is it to reinforce the notion that users' actions are only to be taken as mere suggestions and ignored if they are contrary to your goals?
Wow, rude.
One possible answer to your question: there is no way for a browser to detect "consent", which is a subtle and nuanced concept, but user gestures have a hard and fast definition, so that's the proxy they use.
When a site wants access to my camera or microphone, the browser detects my consent by asking me. I don't see why listening to clipboard events shouldn't be treated in the same way. Likewise with mouse and keyboard tracking events.
The number of sites that reasonably need to know when I copy/paste or need to override what happens when I do that is approximately zero. There's no reason to allow it by default for all sites.
If you just want to add text in, it is even easier, no JS required. just CSS: insert an element into your text that is positioned off-screen. When the user selects and copies, they'll get that text too.
I think there are a bunch of decent uses for that, like rich text editors (eg select text, hit ctrl-b, and the text is bolded).
There are also some sites that popup a small box above your selection with a share box. Straight to hell with those. Compulsive selectors go mad on those sites. That's you, medium.com.
Well, I'm not sure what you're waving at. If the website is nothing more than a RTE, then it's better (and safer) to do it in the browser. If the RTE is just part of the website, then that's a part that's better done in the browser.
Perhaps you want a RTE that doesn't depend on JS. I think that's a reasonable thing to want; but if you normally browse with JS switched off, then running into a working RTE is at least going to violate the Principle of Least Surprise.
Why are websites allowed to know that I hover an element?
Javascript knows about clicks, doubleclicks, hovers... like almost every interaction the user does. There are use cases but also potential to be exploited somehow.
Humor me as someone without much web development experience - but what's to stop websites from displaying unclosable ads/popups? As in the "x" does nothing, or maybe doesn't appear at all?
Firefox has (had?) a flag to disable clipboard-related JS events but this flag is global and toggling it breaks copying from various rich text editors.
> Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible.
I opened a bug with chromium when I first encountered that behavior ~10 years ago since it was an obvious security and privacy concern to me. Needless to say, the chromium devs didn't think it's an issue.
You would think browsers would ask permission for sites to do things like modify your clipboard, see when you copy/paste, track your mouse movements and text selections, etc. but google obviously isn't going to care about protecting the user from such things.
You don't need to modify the clipboard to do that, news sites were doing it long before the clipboard API existed. It's usually done with CSS, abusing display properties, positioning, font size, etc to make attributions a non-visible but still copied part of the text.
One thing that should be done is a user setting to configure this capability. If it is disabled then their copying to clipboard does not have any effect (this is not detectable by the web page), except if you push the key combinations (or menu items) to normally do so while the text is selected in which case only that text is copied to the clipboard. This also would affect which text can be selected, too, not only the clipboard. Disabling fonts also can be possible, etc.
(On my computer I usually disable the scripts so that it will not do such a things, but even if scripts are enabled, you might want to configure that feature too.)
A long time ago I developed a way to append that text you’re talking about as an in house feature so we didn’t have to use that service whose name is escaping me right now. Probably spent two weeks making it cross browser. It was fairly simple at the end of the day and didn’t require any exploits to the clipboard api, just some really good assumptions to and timing it just right to flip some selection. The hard part was restoring the users original selection without making it obvious. I still hate that I did this.
> Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
There are browser extensions. For example, my own StopTheMadness on macOS and iOS:
commit 4d7b74b051abfe5945f418601fdc2ffc8ce3072c
Author: Anupam Snigdha <snianu@microsoft.com>
Date: Tue Jun 07 16:36:28 2022
[Clipboard API] Remove user gesture requirement for read/writeText.
Adding user gesture requirement for readText and writeText APIs
breaks NTP doodle sharing. We are relaxing this check for now, but
we should fix this for sites to not rely on these APIs to be called
without a user gesture.
See NewTabPageDoodleShareDialogFocusTest.All test for more details.
Because despite what the commit message seems to imply to someone unfamiliar with the Clipboard API, navigator.clipboard.readText triggers the clipboard permission prompt. writeText is different in that there's no permission to grant to begin with, it was only gated behind user interaction, which was lifted.
It looks like a Microsoft engineer accidentally broke some Google code while implementing an unrelated feature. They tried to restore the old behavior but ended up actually breaking the interaction checks altogether.
If you look at the commit comment, it indicates that they understood they were only disabling the checks for the new clipboard feature they were working on, not for all clipboard actions.
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
Yet more vindication for those who disable JS and whitelist it only for a small subset of trusted sites. I should not need to run arbitrary code from a site just to be able to view text, images, and interact with forms.
I remember not long ago I got some confused looks from others for not using the "copy to clipboard" buttons that some sites (which I did trust enough to allow JS on) have around code blocks and the like. They were just as confused why I was not using that "useful feature" as I was why they didn't seem to realise that selection is a built-in feature of the browser that behaves (mostly) predictably and is available everywhere. I'd rather select the text myself than click a button that claims to do it for me.
I'm also a bit confused by that. Websites can already do just as many malicious things when you interact anywhere else with JS enabled, so I don't see the security argument. They can also quite trivially insert invisible text if they for some reason want you to copy something different than what's displayed.
The main reasons I use built-in copy buttons are:
A) I don't end up with bits of whitespace at the start and end of the text if it wasn't formatted well on the website.
B) Normal copy-paste in a browser will also copy a bunch of HTML formatting data, which I almost never want in a code snippet. I don't want to have to install an extension just to get plaintext.
It can be a pain but this is how I traverse the internet. I get really annoyed with sites where I have to enable JavaScript to view text. I'm like both noscript and ublock advanced (not together), but much preferred umatrix when it was in development.
You might already be aware of this but use the developer tools of the browser to check for "display: none" or "visibility: hidden" or "opacity: 0" style attributes on some html element (sometimes the <body> element)
Haha, yeah it's a pain, I've a bookmarklet for looping through some of this CSS stuff to make it visible on desktop. Neither much use on mobile though.
Looks like this "works" on Android 13 Chrome as well. Had the nice little clipboard popup when something gets put on the clipboard with the expected message contents.
This has a great potential for advertising. Everyone likes to get unique offers delivered into theirclipboards.
I think that copy/paste in browser should only be done with hotkeys like Ctrl + C/V or using menu. Sites should not have access to clipboard on click/tap because it is easy to misuse.
Even better!: You can refresh the clipboard regularly, for as long as the user is on the page! That way, they'll get access to important notifications about our cool products, while they are coding or handling text in other ways!
At one point I recall a website that would quietly paste a Bitcoin address into the user's clipboard on every interaction. I'm sure this worked reasonably well for them -- who can tell that they've pasted the wrong string of garbage into a transaction UI?
This is why you don't break abstractions. If I'm a user I expect the clipboard to only change when I press ctrl+c or right click -> copy. These should be authoritatively controlled mechanisms that untrusted programs cannot override.
Going further, I want whatever I copy to be whatever I see when I hit copy. Which of course isn't possible in the interactive web.
But unfortunately devs for the last few decades think they can just leave everything undefined and change its meaning for their ad-hoc purposes every minute then claim computing is hard.
Because almost zero percent of cryptocurrency users blindly paste addresses into clients without at least double-checking it was actually the address they wanted to paste. Most of them are conditioned not to trust anything, and double-verify. If you're sending a large amount, you first send a small amount, verify it arrived to the correct address and then send the proper amount.
Verifying the "string of garbage" (which is actually a hash) is simply a matter of checking the first and last four characters, can be done in 10 seconds easily.
You have a great deal more faith in the competence, rigor, and patience of the average user than I do. (Let alone the 10th percentile user, which is who would be more likely hit.)
It shouldn’t. Notice how in google docs you can copy via the right click menu but you can’t paste. For paste the app tells you to use the keyboard shortcut as JS doesn’t have access to reading the clipboard.
Writing to it is super common for things like share links where clicking the button puts them in the clipboard.
Yes, it can be exploited - which is why terminals are adding confirmation steps to pasted multiline text (to avoid running the commands without user even seeing them).
Or on crypto DEXes where you paste in one address, the compromised exchange website shows you what you pasted with a CSS overlay but in reality, the real input field underneath has already been replaced with a Tornado Cash address, so when you submit the form, it's crypto go bye bye.
This is not even a clipboard problem. If the site is compromised, they can display the correct value in the input form, but submit the malicious value in the code that triggers the wallet transaction.
The user’s wallet software can detect these by warning the user that the contract address is unknown or never before seen by them.
If a you manually copy text then that's a "gesture". Sites are able to add malicious code when you copy text and this won't change as far as I know. In terms of security, it's horrible but not new.
The answer is simple: don't copy/paste commands, or at the very least review what you're about to execute after pasting. Reasonable terminals give you a warning that you're about to paste multiple lines and let you read the text before okaying.
Besides this is irrelevant. Websites have always been able to do what you're describing, because copying is a gesture. This bug doesn't change that.
Yes that's why you shouldn't run curl | sh commands without double or tripple checking. Even without this exploit. Check the scripts that are being downloaded and check if this script you download is really the same as for example in the git repo.
Pasting anything what so ever in the shell is a vuln if you are on a system where untrusted programs can set the clipboard. Even typing "echo <ctrl+shift+v>". And no, it's not detectable either.
Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.
The title is kinda misleading. "[W]ith user's permission" probably should be "with user's action" instead.
By default, you can copy to clipboard in all the major browsers when user takes an action, like click some buttons or links. So all these "copy code" buttons won't stop working. What does not in Firefox (and shouldn't in Chrome) is to do so without user's action.
Note: I have no idea what the rigid definition of "user's action" is. But clicking a button counts.
So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.
I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.
[0] crbug.com/1334203