yorkxin / copy-as-markdown

A browser extension to copy tabs and links as Markdown
MIT License
542 stars 83 forks source link

Chrome 107: Keyboard shortcut triggers "Reading Clipboard" warning #110

Closed yorkxin closed 1 year ago

yorkxin commented 1 year ago

Summary

In Chrome, using keyboard shortcut to extract one or more tabs as Markdown to system clipboard triggers the following privacy warning on the web page:

ζˆͺεœ– 2022-11-05 上午8 26 42

Reproduction Steps

  1. Set keyboard shortcut for Copy as Markdown in Chrome (any command)
  2. Press the shortcut on a web page

Expected Behavior

Actual Behavior

Reproducible Environment

edrex commented 1 year ago

It's weird: the extension is doing the reading, not the webpage. Is it the position of the chrome security team that extension context can leak into the page so they are overlapping contexts? Or, is there some injected code being run in the page context that triggers the warning? If so, is there any way to replace it with code running in the extension context?

edrex commented 1 year ago

Also :sob: why U break my workflows chrome??

edrex commented 1 year ago

Looking at https://github.com/yorkxin/copy-as-markdown/blob/master/src/lib/clipboard-access.js I have a guess: chrome newly has added navigator.clipboard but it triggers the warning. Maybe conditionally skip that block if we're in chrome? edit: removing the try block with the navigator.clipboard call avoids the error, so yes it's that call.

yorkxin commented 1 year ago

@edrex Thanks for your input.

the extension is doing the reading, not the webpage.

To be clear, this extension only does writing into the clipboard, not reading.

edit: removing the try block with the navigator.clipboard call avoids the error, so yes it's that call.

I poked around the code related to clipboard, permissions, content scripting etc. and it seems that the permission warning appears when either navigator.clipboard or document.execCommand("Copy") is used.

Sometimes the warning don't appear anymore once I choose "Approve", other times it just don't appear on a different site. I can't realize what dismisses the warning.

In this case, right-click menu is working, popup is working, only keyboard shortcut is broken. Keyboard shortcut requires special hacks with content script because Chrome doesn't like the program run copy without explicit user interaction, and at least since one version of Chrome, runtime.onCommand (keyboard) doesn't count as user interaction in background script.

The most recent issue in Chromium I can find is this one: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203

All features are working well in Firefox. I would assume this is a Chromium-specific issue.

yorkxin commented 1 year ago

Asked question on Chromium bug tracker: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203#c30

yorkxin commented 1 year ago

I'm trying to find a viable workaround here: https://github.com/yorkxin/copy-as-markdown/pull/111/files

It looks like the dialog won't be triggered using document.execCommand. I've been told by MDN that this API should be deprecated in favor of navigator.clipboard, so I am not comfortable going back to the old method again...

yorkxin commented 1 year ago

Tracking: https://bugs.chromium.org/p/chromium/issues/detail?id=1382608

yorkxin commented 1 year ago

Tried to solve this with a workaround using permission query API in #111. It turns out: on every page you visit, the first time invoking keyboard shortcut will not work (even if the console log suggest that it is using textarea, which should work). It only works after the first time you use context menu. And because permission query is handled in an async function, it silently fails.

yorkxin commented 1 year ago

It looks like the problem with textarea is that if the document is not focused (not sure if this is the right terminology), then document.execCommand will return false.

Now I need to figure out what makes a page 'focused'...

yorkxin commented 1 year ago

Continue working in https://github.com/yorkxin/copy-as-markdown/pull/112

yorkxin commented 1 year ago

Need some UI to show such error. Considering chrome.actions.openPopup() when such error happened.

https://developer.chrome.com/docs/extensions/reference/action/#method-openPopup

cdbattags commented 1 year ago

So with all of these options, will it require the website to specifically have clipboard access?

It's crazy that Chromium/Chrome team believes this is "WAI". I wonder what changed recently. I trust this extension way more than I trust these websites πŸ˜….

yorkxin commented 1 year ago

@cdbattags

I trust this extension way more than I trust these websites

Thanks. That means a lot to me!

In terms of website permission, it looks like there is no need to require the website to have clipboard access for Copy as Markdown to work.

there are two ways to write to clipboard:

  1. Native navigator.clipboard API
  2. legacy document.execCommand('copy') call in a textarea.

The native API triggers permission warning, the legacy method does not, but it returns false in some cases.

From what I have observed, it seems that 'user gesture' is the keyword:

Using mouse will always work -- it has a 'user gesture'. This is why it works for context menu and extension popup.

Calling the native API directly without any mouse interaction, requires permission. This is the case of Keyboard Shortcut. Since the code is executed in the content script i.e the web page's context, Chrome shows warning about the website trying to access clipboard, which can be seen as a false positive but also true positive.

Calling the legacy method without any mouse interaction, may or may not work depends on browser. The execCommand function returns false when browser decided that writing to the clipboard is not allowed. On Firefox it happen when the textarea is hidden. On Chrome it happens when you have not click on the web page yet. I am not sure if this counts as 'user gesture' though.

Moving forward, I'm thinking about a few solutions:

Both require further investigation, and I have no timeline for either of them. I'll try my best during my free time.

Meanwhile, please try an RC version here:

https://github.com/yorkxin/copy-as-markdown/releases/tag/v2.7.0rc2

This one won't trigger permission warning on Chrome, but will show a red X icon when copy failed.

yorkxin commented 1 year ago

Found a workaround: inject an iframe to an HTML page that performs document.Copy 🀯

Need to do some more tests...

https://github.com/yorkxin/copy-as-markdown/pull/113

yorkxin commented 1 year ago

@edrex @cdbattags Hi, I've released a beta version of Copy as Markdown v2.7.0rc4. This version fixed the issue that Keyboard Shortcuts on Chrome may not work. It'd be very helpful if you could try it in your daily workflow, and see if the issue happens again.

To test:

  1. Go to Chrome's "Extensions" page (chrome://extensions).
  2. Disable Copy as Markdown (no need to uninstall)
  3. Download v2.7.4rc4 crx file from https://github.com/yorkxin/copy-as-markdown/releases/tag/v2.7.0rc4
  4. Drag and Drop the downloaded file to Chrome's Extensions Page

When reporting the test results, please also let me know what operation system and what version of Chrome you're using.

Thanks!

selfpublish commented 1 year ago

So far so good. No issues! To clarify the installation a bit: after you drag the .crx file into your extensions window, you need to turn the original plug-in back on. The .crx patches the existing plugin to fix the issue. Thank you Yucheng!

cdbattags commented 1 year ago

Hmmm, looks like it's working but got this message:

image

I wonder where that came from?

yorkxin commented 1 year ago

@selfpublish Actually could you try disabling the original plug-in, and only enabling the CRX version? The CRX file should be able to work by itself. Please also configure the keyboard shortcut for the CRX version. Thanks!

yorkxin commented 1 year ago

@cdbattags Haha, I see. Of course Google won't allow any extension to inject code into its own websites. I'll try to work around this issue in the follow up versions.

Meanwhile, could you try other non-Google websites?

edrex commented 1 year ago

Copying the current URL via the keyboard shortcut seems to work, even without "focusing" the page. Thank you for putting in the time to get this working, and for continuing to support this very useful extension @yorkxin!

wrt installing the test CRX from Github:

cdbattags commented 1 year ago

From my testing on two different Chrome profiles this looks good to go!

yorkxin commented 1 year ago

@edrex @cdbattags @selfpublish Thanks for helping me with the testing. I have published version 2.7.1 on Chrome Web Store and Firefox Add-Ons store. Please uninstall the standalone crx version (the one with rc1 in the version name), and install the release version from web stores. It may take a few hours for them to become available in your region.

Let me know if you have any questions!