Open fmarier opened 7 years ago
nodiscc
commented
7 years ago dom.allow_cut_copy was added in https://github.com/pyllyukko/user.js/pull/277, set to false, as @Thorin-Oakenpants noted we should keep enforcing false for both, but is definitely something to consider for a relaxed variant/branch #231 (set both prefs to true)
nodiscc
commented
7 years ago SVG
https://github.com/pyllyukko/user.js/pull/276
If you are afraid of breakage, then you should revisit
gcb
commented
1 year ago Does disabling this actually prevents clipboard reading without user initiating a paste action?
pyllyukko
commented
10 months ago Does disabling this actually prevents clipboard reading without user initiating a paste action?
I sure as hell hope so! Otherwise random sites could read everything you put in there and that would be a security disaster.
gcb
commented
9 months ago I was probably too tired when i wrote that earlier comment :)
I meant, having this (as in the change to user.js being discussed) disabled (as in, having the firefox setting enabled) does prevent clipboard reading at random times?
I guess, a better question, what are the attack vectors we are trying to fix by disabling this?
One case I know that is actively exploited in the wild is clipboard pollution, which is still a problem on most browsers. Thanks to github and others wanting to add to your clipboard when you click the "copy" button because all users are too dumb to copy text, sites can add whatever they want to your clipboard if you visit them. This would fix it, but it is pretty low severity.
I am not aware of any way to get data from clipboard unless user initiate a paste event into the site.
So, having a way to prevent writing to clipboard while allowing paste would be the best of both world. Top security. Top usability.
pyllyukko
commented
9 months ago One case I know that is actively exploited in the wild is clipboard pollution, which is still a problem on most browsers.
I guess this is the main case with this/these setting(s).
So, having a way to prevent writing to clipboard while allowing paste would be the best of both world.
BTW. I was wondering whether there are other apps than Google Docs where Ctrl+V breaks 🤔 Because it seems to work in most places.
gcb
commented
9 months ago BTW. I was wondering whether there are other apps than Google Docs where Ctrl+V breaks 🤔 Because it seems to work in most places.
Everywhere you have rich-paste (i.e. you can paste images, etc)
To accomplish this, they use some badly coded react component that uses DIV instead of proper INPUT html element. So if you initiate a paste event without the java-script hacks, you just pasted nowhere on the page and it will be ignored.
bug examples i can think of:
examples that do it right:
For copy/paste to work on Google Docs using the keyboard (Ctrl+C, Ctrl+X, Ctrl+V), it needs
dom.event.clipboardevents.enabledto be enabled.We could however disable
dom.allow_cut_copy(introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1170911) since that appears to only be required for using the clipboard using the mouse UI.I'm not sure what the best path forward is here, but here are ideas:
dom.event.clipboardevents.enabledprefdom.allow_cut_copy = falseby default to prevent sites from tampering with the clipboard contents