Sites will now use java script to identify pasted content

[asherline]

and then they just don't accept it. Most prominently Paypal does this. Cleverly they don't tell you the correct reason why they won't accept the password and instead say your password doesn't match. My annoyance is indescribable.

I recognize that this is beyond the scope of this particular project but has anyone thought about an extension that would turn a paste event into fake key presses? Just consecutively activate each key? It seems like it would be very difficult or impossible for a website to engineer around this.

[jswanner]

@asherline, synthesizing keyboard events will not change an input's value, see: https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent#Auto-repeat_handling_prior_to_Gecko_5.0

Note: Manually firing an event does not generate the default action associated with that event. For example, manually firing a key event does not cause that letter to appear in a focused text input. In the case of UI events, this is important for security reasons, as it prevents scripts from simulating user actions that interact with the browser itself.

Instead you'd need to set the value attribute directly.

[jswanner]

That said, I'm able to paste my password into PayPal's log in form without issue (don't need this extension for it either). Where are you experiencing this on their site?

[asherline]

Curses, foiled again. Its funny that these organizations are going through so much effort to address this particular "security" threat. Who is asking for this and why?

But I digress. It is the Sign Up form rather than the Log In form that is doing this: https://www.paypal.com/welcome/signup/#/email_password also the Oregon Medicaid site does this as well: https://one.oregon.gov/UserRegistration/SettingUpAccount

[jswanner]

The PayPal sign up form is allowing me to paste into their password fields, and if the password meets their criteria it lets me submit the form with pasted content. If the password doesn't meet their criteria, the password confirmation field will say the passwords don't match.

For the Oregon Medicaid registration form, I did need to activate this extension in order to paste into the password fields. But, it also let me submit with pasted content, once I bypassed their blocking of paste.