Aug 29, 2022 21:00:00

Google Chrome is in a state where websites can write to the clipboard without user permission

It has been pointed out that websites opened in Google Chrome can write arbitrary strings to the clipboard without obtaining the user's permission. Although it is recognized in Chrome's bug management system, it has not been fixed.

Chrome allows websites to write to the clipboard without the user's permission | Hacker News

https://news.ycombinator.com/item?id=32614037

I tried the reproduction procedure shown by the social news site Hacker News. First, access the following site 'Web Platform News' with Chrome.

Web Platform News

https://webplatform.news/

Then paste the contents of the clipboard somewhere. This is what I actually pasted into the text editor.

The content of the message is ``This message is on the clipboard because you accessed Web Platform News in a browser that allows websites to write to the clipboard without the user's permission. Please take a look.'

Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user's permission. Sorry for the inconvenience. For more information about this issue, see https://github .com/w3c/clipboard-apis/issues/182.

According to what Mr. tomayac posted on GitHub, the API method 'navigator.clipboard.write()' to copy an image to the clipboard and the API method 'navigator.clipboard.writeText () ' to copy a string to the clipboard are , Firefox and Safari require user interaction, but Chrome runs without user interaction. 'This has been a problem for a long time,' said Naleksuh. 'You shouldn't have JavaScript enabled on random websites because of this problem.'

Interoperability issue: `navigator.clipboard.write()` and `navigator.clipboard.writeText()` user gesture requirement Issue #182 w3c/clipboard-apis GitHub
https://github.com/w3c/clipboard-apis/issues/182

On Chrome's bug reporting platform, Microsoft's Anupam Snigdha, who was working to improve the clipboard API, has confirmed in June 2022 that he has committed 'remove user gesture requests when reading/writingText'. , a project member said, 'This is a huge privacy issue. The page can read and write to the clipboard without user interaction and needs to be addressed immediately. We will also need a solution to this problem,” he said.

1334203 - NewTabPageDoodleShareDialogFocusTest.All test fails when user gesture is enforced. - chromium
https://bugs.chromium.org/p/chromium/issues/detail?id=1334203

Related Posts:

Aug 29, 2022 21:00:00 in Software, Security, Posted by logc_nt