Jump to content
  • Websites may write to the clipboard in Chrome without user permission


    Karlston

    • 632 views
    • 3 minutes
     Share


    • 632 views
    • 3 minutes

    If you run Google Chrome or another Chromium-based web browser, then websites may push anything they want to the operating system's clipboard without user permission or any user action.

     

    chrome-clipboard-pasting-without-permiss

     

    Computer users may use the clipboard of the system for temporary storage: a password for entering it on a website, a file for moving it to another location on the system, or a bit of text found on a site for pasting in a Word document or a search engine.

     

    Sites should never have access to the content of the clipboard, at least not without user permission. Chrome and other Chromium-based browsers have no such restriction currently. The makers of the Brave web browser considered adding the user gesture requirement in 2021, but this has not been implemented in the browser. The two other major browsers that do are not based on Chromium, Firefox and Safari, protect the clipboards of their users.

     

    Visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards.

     

    If you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

     

    Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.

     

    All Chromium-based browsers that are up to date are affected by this. Firefox and Safari do require a user gesture before websites may copy content to the device's clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl-C or other means to copy it to the clipboard.

     

    A bug report on the Chromium website highlights that the restriction to require a user gesture before reading or writing to the clipboard has been removed. The reason given: it breaks NTP doodle sharing.

     

    Adding user gesture requirement for readText and writeText APIs
    breaks NTP doodle sharing. We are relaxing this check for now, but
    we should fix this for sites to not rely on these APIs to be called
    without a user gesture.


    See NewTabPageDoodleShareDialogFocusTest.All test for more details.

     

    NTP refers to the New Tab Page of the browser, doodles are Google Doodles, variations of the Google logo that highlight events or people.

     

    On this GitHub page, the assumption is made that the user gesture requirement could break remote clipboard synchronization in browsers.

     

    Now You: is your browser vulnerable?

     

     

     

    Websites may write to the clipboard in Chrome without user permission

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...