From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
It’s not like there’s that much of a difference, as far as the Browser is concerned.
would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.
The browser can’t access your clipboard contents without permission, but it can place text into the clipboard.
The problem is people the talking the copied text and pasting it into the command prompt.
Only as the result of a user interaction, for example by pressing a button.
From the Browser’s viewpoint, would there be any difference if the webpage has a JS button to put something in the clipboard, or it having code running in the background that puts things into the clipboard at page load?
It’s not like there’s that much of a difference, as far as the Browser is concerned.
Clicking a button shows user intent, whereas a page load doesn’t. No user expects loading a page to overwrite their clipboard, but every user that clicks a “Copy to Clipboard” button does expect it.
Yeah that’s what I’m curious about; I’m used to copying code snippets or codes from websites by clicking a button (presumably through some browser API?), but am just now realizing that this in itself has security implications.
Using noscript or some such JS blocker would prevent this but break a lot of other things in the process. That’s why I’m wondering why the API isn’t locked down via some user prompt.
In Firefox, you can disable the clipboard events. I’ve done this for the rare case of me copy+pasting a password and forgetting to clear the clipboard after.
On Android, I’ve noticed that it’s possible for apps to read from the clipboard, to read OTP tokens for example. Since I noticed that a while back, I’ve always been wary of the clipboard on any device I’ve used.