Interoperability issue: `navigator.clipboard.write()` and `navigator.clipboard.writeText()` user gesture requirement

[tomayac]

(This was brought up in the context of @simevidas' tweet.)

When attempting to write to the clipboard via either of navigator.clipboard.write() or navigator.clipboard.writeText() , both Safari 🚫 and Firefox 🚫 require a user gesture:

In contrast, and this is the interoperability issue I guess, Chrome ✅ happily proceeds. Brave, based on Chromium, considered disabling this behavior (https://github.com/brave/brave-browser/issues/16890).

One use case requiring a user gesture would break is that of remote clipboard synchronization, which is explicitly mentioned in the spec. Maybe Capability Delegation could be the answer here?!

Here's a test page for write() courtesy of Šime, and here's a test page for writeText() (based on Šime's).

[snianu]

@tomayac Is this on the latest 104 stable build? I added the transient user activation requirement for write() method but not writeText() because of some internal site breakage where they are currently relying on this behavior. We have bugs to fix this crbug.com/1334203

[tomayac]

I tested on 104.0.5112.101, yes.

[Naleksuh]

This has been an issue for a while now. Stuff like this is why you shouldn't be enabling JavaScript on random websites.

[NabiKAZ]

Version 105.0.5195.54 (Official Build) (64-bit) There is still a bug.

[raydleemsc]

Tested on Version 1.42.97 Chromium: 104.0.5112.102 (Official Build) (64-bit) - silent fail - no error, but no effect on clipboard as well

[simevidas]

It should be noted that Chromium-based browsers do have some restrictions for writing text to the clipboard:

• Secure context (https)
• Chome is current app
• Script is running in the active tab

(https://groups.google.com/a/chromium.org/g/blink-dev/c/epeaao7l13M/m/b8ewAH5uBwAJ)

So if a web page is loaded into a background tab, it won’t be able to write to the clipboard.

[simevidas]

Some developments in the Brave browser: https://github.com/brave/brave-core/pull/14901

[evanstade]

As of this commit, Chromium requires either user activation (at the time of the write) or an explicit permission grant (which is durable across many reads/writes) for writing to the clipboard. As noted in the spec, there are known use cases which rely on the permission grant flow as opposed to the user gesture.

[HolgerJeromin]

@evanstade your link is missing the protocol (https)

[tomayac]

(Corrected link for https://github.com/w3c/clipboard-apis/issues/182#issuecomment-1240023984: https://crrev.com/10300ac7da93a7e322274f1e.)

Are people fine with me closing the Issue as completed?

[sunder11]

Perhaps I am stupid. Is this related to cve-2022-3075. If so I was under the impression this was patched. if I go to webplatfoem.news it continues to write to my clipboard. My chrome is: 106.0.5249.119, My Vivaldi is 5.5.2805.38, and Opera is 91.0.4516.65.

[gsnedders]

52 and https://github.com/w3c/clipboard-apis/issues/75 are both related?

[simevidas]

There has been a recent change in Chromium: In Chrome 107, attempting to write to the clipboard on page load now triggers a permission prompt. I have removed the code from webplatform.news to not bother my visitors.

[HolgerJeromin]

@simevidas You wrote about "writing to clipboard". The screenshot shows a dialog about "read from clipboard". This is constantly mixed (at least in the media about this topic).

My code navigator.clipboard.writeText() works without any dialog or console log in chrome 108 (after user activation). Edit: Sorry, you are right. The code and dialog text are not matching. 8-( Tested with https://fluoridated-showy-fog.glitch.me

[evanstade]

Attempting to write to the clipboard should only trigger a prompt if there's no user action attached.

Yes, Chromium reuses the same permission for both gesture-less reads and writes. The text was not updated because reading is considered more powerful than writing.

[HolgerJeromin]

Telling not the truth in such dialogs is IMO a very bad move. I would reject reading my clipboard on most pages, but writing is often useful (perhaps not without user gesture, but still).

[evanstade]

It is the truth in that the same underlying permission is used for both actions. Granting this permission will affect reading. To avoid permission fatigue, we try to avoid creating too many distinct permissions.

[snianu]

This issue is creating unnecessary noise in the clipboard repo. The original issue has already been addressed, so if there are any concerns/bugs, please open bugs in the chromium bug database. I'm going to close this issue.