Open link2xt opened 1 year ago
hpk42
commented
1 year ago On Wed, Sep 27, 2023 at 05:48 -0700, link2xt wrote:
See discussion at https://github.com/deltachat/deltachat-desktop/pull/3413#discussion_r1337826506
i don't understand -- when i am opening the editor i want to be able to paste something into it. Are you suggesting to disable this ability completely?
link2xt
commented
1 year ago WebXDC app should not be able to access the clipboard without explicit user action. Otherwise it is possible to make an app that posts your clipboard to the public board every time you open it.
execCommand('paste') should not work: https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand
New Clipboard API require a clipboard-read permission, this should be asked for each app or disabled.
Pasting into forms is possible in any case.
hpk42
commented
1 year ago On Thu, Sep 28, 2023 at 02:15 -0700, link2xt wrote:
WebXDC app should not be able to access the clipboard without explicit user action. Otherwise it is possible to make an app that posts your clipboard to the public board every time you open it.
execCommand('paste')should not work: https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommandNew Clipboard API require a
clipboard-readpermission, this should be asked for each app or disabled.
if i go to any https-website, can they get at the content of my clipboard in default browser? Or is that only possible for browser-controlled input/edit-fields ?
Simon-Laux
commented
1 year ago we can try to overwrite it, but then we have the iframe problem again:
iframe.contentWindow.document.execCommand("paste")btw it still works in electron 26.
also the clipboard api does not work, because it's permission is denied, somehow execCommand works regardless.
See discussion at https://github.com/deltachat/deltachat-desktop/pull/3413#discussion_r1337826506