Closed yorkxin closed 1 year ago
It's weird: the extension is doing the reading, not the webpage. Is it the position of the chrome security team that extension context can leak into the page so they are overlapping contexts? Or, is there some injected code being run in the page context that triggers the warning? If so, is there any way to replace it with code running in the extension context?
Also :sob: why U break my workflows chrome??
Looking at https://github.com/yorkxin/copy-as-markdown/blob/master/src/lib/clipboard-access.js I have a guess: chrome newly has added navigator.clipboard but it triggers the warning. Maybe conditionally skip that block if we're in chrome? edit: removing the try
block with the navigator.clipboard
call avoids the error, so yes it's that call.
@edrex Thanks for your input.
the extension is doing the reading, not the webpage.
To be clear, this extension only does writing into the clipboard, not reading.
edit: removing the try block with the navigator.clipboard call avoids the error, so yes it's that call.
I poked around the code related to clipboard, permissions, content scripting etc. and it seems that the permission warning appears when either navigator.clipboard
or document.execCommand("Copy")
is used.
Sometimes the warning don't appear anymore once I choose "Approve", other times it just don't appear on a different site. I can't realize what dismisses the warning.
In this case, right-click menu is working, popup is working, only keyboard shortcut is broken. Keyboard shortcut requires special hacks with content script because Chrome doesn't like the program run copy without explicit user interaction, and at least since one version of Chrome, runtime.onCommand
(keyboard) doesn't count as user interaction in background script.
The most recent issue in Chromium I can find is this one: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203
All features are working well in Firefox. I would assume this is a Chromium-specific issue.
Asked question on Chromium bug tracker: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203#c30
I'm trying to find a viable workaround here: https://github.com/yorkxin/copy-as-markdown/pull/111/files
It looks like the dialog won't be triggered using document.execCommand
. I've been told by MDN that this API should be deprecated in favor of navigator.clipboard
, so I am not comfortable going back to the old method again...
Tried to solve this with a workaround using permission query API in #111. It turns out: on every page you visit, the first time invoking keyboard shortcut will not work (even if the console log suggest that it is using textarea, which should work). It only works after the first time you use context menu. And because permission query is handled in an async function, it silently fails.
It looks like the problem with textarea is that if the document is not focused (not sure if this is the right terminology), then document.execCommand
will return false.
Now I need to figure out what makes a page 'focused'...
Continue working in https://github.com/yorkxin/copy-as-markdown/pull/112
Need some UI to show such error. Considering chrome.actions.openPopup()
when such error happened.
https://developer.chrome.com/docs/extensions/reference/action/#method-openPopup
So with all of these options, will it require the website to specifically have clipboard access?
It's crazy that Chromium/Chrome team believes this is "WAI". I wonder what changed recently. I trust this extension way more than I trust these websites π .
@cdbattags
I trust this extension way more than I trust these websites
Thanks. That means a lot to me!
In terms of website permission, it looks like there is no need to require the website to have clipboard access for Copy as Markdown to work.
there are two ways to write to clipboard:
navigator.clipboard
APIdocument.execCommand('copy')
call in a textarea.The native API triggers permission warning, the legacy method does not, but it returns false in some cases.
From what I have observed, it seems that 'user gesture' is the keyword:
Using mouse will always work -- it has a 'user gesture'. This is why it works for context menu and extension popup.
Calling the native API directly without any mouse interaction, requires permission. This is the case of Keyboard Shortcut. Since the code is executed in the content script i.e the web page's context, Chrome shows warning about the website trying to access clipboard, which can be seen as a false positive but also true positive.
Calling the legacy method without any mouse interaction, may or may not work depends on browser. The execCommand
function returns false when browser decided that writing to the clipboard is not allowed. On Firefox it happen when the textarea is hidden
. On Chrome it happens when you have not click on the web page yet. I am not sure if this counts as 'user gesture' though.
Moving forward, I'm thinking about a few solutions:
document.execCommand
failed because they just switched the tab. This introduces annoying UX to keyboard-heavy users.Both require further investigation, and I have no timeline for either of them. I'll try my best during my free time.
Meanwhile, please try an RC version here:
https://github.com/yorkxin/copy-as-markdown/releases/tag/v2.7.0rc2
This one won't trigger permission warning on Chrome, but will show a red X icon when copy failed.
Found a workaround: inject an iframe to an HTML page that performs document.Copy π€―
Need to do some more tests...
@edrex @cdbattags Hi, I've released a beta version of Copy as Markdown v2.7.0rc4. This version fixed the issue that Keyboard Shortcuts on Chrome may not work. It'd be very helpful if you could try it in your daily workflow, and see if the issue happens again.
To test:
chrome://extensions
).When reporting the test results, please also let me know what operation system and what version of Chrome you're using.
Thanks!
So far so good. No issues! To clarify the installation a bit: after you drag the .crx file into your extensions window, you need to turn the original plug-in back on. The .crx patches the existing plugin to fix the issue. Thank you Yucheng!
Hmmm, looks like it's working but got this message:
I wonder where that came from?
@selfpublish Actually could you try disabling the original plug-in, and only enabling the CRX version? The CRX file should be able to work by itself. Please also configure the keyboard shortcut for the CRX version. Thanks!
@cdbattags Haha, I see. Of course Google won't allow any extension to inject code into its own websites. I'll try to work around this issue in the follow up versions.
Meanwhile, could you try other non-Google websites?
Copying the current URL via the keyboard shortcut seems to work, even without "focusing" the page. Thank you for putting in the time to get this working, and for continuing to support this very useful extension @yorkxin!
wrt installing the test CRX from Github:
From my testing on two different Chrome profiles this looks good to go!
@edrex @cdbattags @selfpublish Thanks for helping me with the testing. I have published version 2.7.1 on Chrome Web Store and Firefox Add-Ons store. Please uninstall the standalone crx version (the one with rc1
in the version name), and install the release version from web stores. It may take a few hours for them to become available in your region.
Let me know if you have any questions!
Summary
In Chrome, using keyboard shortcut to extract one or more tabs as Markdown to system clipboard triggers the following privacy warning on the web page:
Reproduction Steps
Expected Behavior
Actual Behavior
Reproducible Environment