Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission
-
This article on Hacker News discusses how Chrome/ium based browsers allow websites to copy text to the clipboard without any user action or notification. At first I shrugged, but the more I think about it the more it bothers me that a site can manipulate my clipboard without any notification to or action by the user. I can understand why some sites may not allow copying text, but I feel like they shouldn't be able to manipulate my clipboard.
HN article: https://news.ycombinator.com/item?id=32614037
The website (linked in that article) that is setup as proof of concept/test to demonstrate this functionality: https://webplatform.news After visiting this website you can open a text editor and paste the text it has copied to the clipboard.
The text that is copied to the clipboard demonstrating the functionality: "Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182."
I wanted to post this as a bug, but it's really intended functionality by Google (see the HN article above). So, I guess what I'm asking is for Vivaldi to consider disabling this as a default behavior. The sole purpose of it being enabled is to allow Google New Tab doodles.
-
@randyliden
This can be deactivated in the Vivaldi settings. -
@ingolftopf
Hi, what? Where you can disable it?Cheers, mib
-
@mib2berlin
Web page settings > Retrieve texts from clipboard.Think that this is what is meant.
Dank an alle hier! Klasse Browser, tolles Forum.
GNU/Linux: 'Q4OS' / Debian 12 'Bookworm', Android 7 / Android 15 ('GrapheneOS', ein Segen! Aber nur für Google 'Pixel' Geräte z.Z. Ist schon irre, um Google loszuwerden)
Dabei seit dem alten Opera Presto. -
@ingolftopf
I'm probably blind but I can't find this setting, not even with the search.
Cheers, mib
Opensuse Tumbleweed x86_64 KDE 6.2 X11, Windows 11 Pro, Vivaldi latest
HP Probook Intel(R) i5-8350U 16 GB, GPU UHD 620, SSD 256 GB
Miniforum-B550 AMD Ryzen 7 4700G 16 GB, Radeon Graphics
Redmi Note 14, HyperOS Android 14 -
@ingolftopf said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
@mib2berlin
Web page settings > Retrieve texts from clipboard.Think that this is what is meant.
Thanks for taking the time to answer igolftopf, but I also cannot find this setting. I have looked in "webpages" and "privacy and security" along with searching for clipboard, text, and copy.
-
@mib2berlin Try
chrome://settings/content/clipboard. -
@hlehyaric I'm not totally sure it worked.
https://output.jsbin.com/yuliwoz/quiet ~ https://fluoridated-showy-fog.glitch.me/
<-- one step test urls (just open the site and paste the text in urlbar)
-
@hlehyaric
Hi, nice find but it does not change it, the text from the example page is still copied in the clipboard.
I even add the page to "Not allowed to see your clipboard" pages with [*.]webplatform.news, restart Vivaldi ,reload the page and bang.Cheers, mib
-
@mib2berlin Is not even a new thing as brave discussed if implement the API only on user demand but unsure if they did.
Vivaldi Stable+Snap | Patience Is The Key To Get The Vivaldi Spree | Unsupported Extensions | Github | w11 + Kde Manjaro + Android 13
-
@Hadden89 As I recall, Opera doesn't.
When you visit a site there's a "Clipboard" toggle under Site Settings (when you click the security icon in the address bar)., no idea if it actually works.
-
@randyliden @mib2berlin Now probably worked. Clipboard must be off at
chrome://settings/content/siteDetails-> clipboard -> blockchrome://settings/content/clipboard-> don't allow
Then you can unlock the clipboard per-site basis where need via padlock as expected (which is the best choice).
But then you need fiddle both pages to do an exception.Vivaldi Stable+Snap | Patience Is The Key To Get The Vivaldi Spree | Unsupported Extensions | Github | w11 + Kde Manjaro + Android 13
-
@Hadden89
Hi, thank you for looking over, this does not work for me on Vivaldi 5.5.2770.3, Linux:
I will check on stable, Windows 11 later, too.
I set both to disabled and restart.Cheers, mib
-
I'm struggling to figure out how this could be a potential threat, apart from being just an annoyance (when misused) for the user. The site can inject something into your clipboard, but then what? It's a dead end for the attacker - you can't force the user to do anything with the content you injected into their clipboard. You'd have to tell them what to do with it - but if you're capable of convincing someone to do something with a string of text, you can as well convince them to copy it to the clipboard themselves - no need to resort to any Java Script tricks.
For me personally, the
clipboard.writeTextcommand is actually very useful, and I use it daily in many of my custom scripts. I believe many websites use that to make it easier to copy something the user was going to copy anyway - but I haven't yet heard of any real-life examples of how this was misused to perform an actual attack.
-
@pafflick said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
I'm struggling to figure out how this could be a potential threat
Why assume that the browser is the only app the user has active?
If I am also using e.g. a word processor/messenger etc., I want to be in control of what is in the clipboard!!Win: Snapshot Vivaldi 7.4.3664.3
-
@skaendo yes, that seems to be one case where it could be a potential risk - copying commands and pasting them into a terminal. However, preventing this risk could be very difficult. For example, having a browser notification (or a different counter-measure for copying text into the clipboard) might not achieve anything in such a scenario, as the user already expects to copy something from the website - so they will most likely dismiss/bypass the warning anyway. And there are other ways to trick someone to copy something malicious into their clipboard, even without JS. If you're afraid of these kinds of attacks, the only solution might be to never paste anything copied from (any) browser into a terminal.
I'm wondering - did you ever experience this issue on any website that you ever visited (unknowingly), or are you just afraid of the concept itself? -
@TbGbe said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
Why assume that the browser is the only app the user has active?
Why do you assume that I made such an assumption? I did admit that it's an annoyance when the clipboard content is changed without the user's knowledge - never said it isn't. But I was questioning whether it's indeed a security issue. And even in the very narrow pool of cases where it could be, preventing this by blocking the JS command might not achieve anything.
Now, this "vulnerability" has been there for a while. Did you ever experience this for yourself? Did you stumble upon any website actually exploiting this? -
@pafflick said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
But I was questioning whether it's indeed a security issue.
It is a "data loss" issue!
Did you ever experience this for yourself?
No I haven't.
blocking the JS command might not achieve anything
My objection is not to blocking - I object to the possibility of a website having the capability in the first place.
If I had the option, I would just disable the functionality completely - no need to implement "asking for permission". -
@TbGbe said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
It is a "data loss" issue!
A clipboard is not where you want to store the only copy of your data anyway - a mere OS failure, computer restart or a power outage can wipe it out at any time. As I said - annoyance? Yes. Security issue? Hardly.
@TbGbe said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
No I haven't.
Me neither. I don't know anyone who did. If it was such a security hole, I imagine there would be a plethora of reports.
@TbGbe said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
My objection is not to blocking - I object to the possibility of a website having the capability in the first place.
I'm afraid you'd have to take your complaint to the ECMA organisation. You can't blame browsers for supporting the agreed-upon standards.
@TbGbe said in Chromium Browsers Allows Sites to Add Clipboard Content Without User Permission:
If I had the option, I would just disable the functionality completely - no need to implement "asking for permission".
Then you can either disable JavaScript and enable it for trusted websites (which is good for privacy and security anyway) or use a custom script to prevent all clipboard-write requests.
