Closed tomayac closed 1 year ago
@tomayac Is this on the latest 104 stable build? I added the transient user activation requirement for write()
method but not writeText()
because of some internal site breakage where they are currently relying on this behavior. We have bugs to fix this crbug.com/1334203
I tested on 104.0.5112.101
, yes.
This has been an issue for a while now. Stuff like this is why you shouldn't be enabling JavaScript on random websites.
Version 105.0.5195.54 (Official Build) (64-bit) There is still a bug.
Tested on Version 1.42.97 Chromium: 104.0.5112.102 (Official Build) (64-bit) - silent fail - no error, but no effect on clipboard as well
It should be noted that Chromium-based browsers do have some restrictions for writing text to the clipboard:
(https://groups.google.com/a/chromium.org/g/blink-dev/c/epeaao7l13M/m/b8ewAH5uBwAJ)
So if a web page is loaded into a background tab, it won’t be able to write to the clipboard.
Some developments in the Brave browser: https://github.com/brave/brave-core/pull/14901
As of this commit, Chromium requires either user activation (at the time of the write) or an explicit permission grant (which is durable across many reads/writes) for writing to the clipboard. As noted in the spec, there are known use cases which rely on the permission grant flow as opposed to the user gesture.
@evanstade your link is missing the protocol (https)
(Corrected link for https://github.com/w3c/clipboard-apis/issues/182#issuecomment-1240023984: https://crrev.com/10300ac7da93a7e322274f1e.)
Are people fine with me closing the Issue as completed?
Perhaps I am stupid. Is this related to cve-2022-3075. If so I was under the impression this was patched. if I go to webplatfoem.news it continues to write to my clipboard. My chrome is: 106.0.5249.119, My Vivaldi is 5.5.2805.38, and Opera is 91.0.4516.65.
There has been a recent change in Chromium: In Chrome 107, attempting to write to the clipboard on page load now triggers a permission prompt. I have removed the code from webplatform.news to not bother my visitors.
@simevidas You wrote about "writing to clipboard". The screenshot shows a dialog about "read from clipboard". This is constantly mixed (at least in the media about this topic).
My code
Edit: Sorry, you are right. The code and dialog text are not matching. 8-(
Tested with https://fluoridated-showy-fog.glitch.menavigator.clipboard.writeText()
works without any dialog or console log in chrome 108 (after user activation).
Attempting to write to the clipboard should only trigger a prompt if there's no user action attached.
Yes, Chromium reuses the same permission for both gesture-less reads and writes. The text was not updated because reading is considered more powerful than writing.
Telling not the truth in such dialogs is IMO a very bad move. I would reject reading my clipboard on most pages, but writing is often useful (perhaps not without user gesture, but still).
It is the truth in that the same underlying permission is used for both actions. Granting this permission will affect reading. To avoid permission fatigue, we try to avoid creating too many distinct permissions.
(This was brought up in the context of @simevidas' tweet.)
When attempting to write to the clipboard via either of
navigator.clipboard.write()
ornavigator.clipboard.writeText()
, both Safari 🚫 and Firefox 🚫 require a user gesture:In contrast, and this is the interoperability issue I guess, Chrome ✅ happily proceeds. Brave, based on Chromium, considered disabling this behavior (https://github.com/brave/brave-browser/issues/16890).
One use case requiring a user gesture would break is that of remote clipboard synchronization, which is explicitly mentioned in the spec. Maybe Capability Delegation could be the answer here?!
Here's a test page for
write()
courtesy of Å ime, and here's a test page forwriteText()
(based on Å ime's).