tags:

views:

734

answers:

3
+2  Q: 

Copy & Paste in Firefox

While working on a wysiwyg editor, I hit the wall of Firefox restricting access to the clipboard (haven't yet tested Webkit).

  1. Can someone explain WHY copying to the clipboard is restricted?

    I just cannot think of a single way that this can be used nefariously, and use-cases abound where lack of 'copy' support is a problem.
    In fact, whole libraries such as zeroClipboard are there just to facilitate this function.

    (I understand - but disagree - that allowing read access to the clipboard can create a hole, though a popup would solve that.)

  2. Are there any good hacks/methods that would give me a 'paste' button? I have seen posts refer to 'textarea trick' among others, without explanation of how they work.

  3. Is there a term for the all-too-common scenario where production by legitimate users is hampered by 'security precautions', and the 'bad guys' use hacks [like zeroClip] that render the secure feeling completely false?

I am aware that there is a convoluted 'official' method that is available if I sign my scripts.. [which I do not have the knowledge or resources to do], but that even that would generate a popup whenever I use it.

A: 

You might have cut something from an application that doesn't support undo or something to paste somewhere else. If it was allowed to modified the clipboard automatically, you could have lost the data you had cut.

Mehrdad Afshari  2009-05-17 18:12:23
Understood. But that's no security hole, and its not Firefox's job to prevent.Imagine if Word restricted 'copy' for fear that you might have something valuable in the clipboard!Copying is something that should always be done with caution. But the uses are real, and part of entering into interactive pages means that a user should be able to choose to interact.(Imagine a site that offers JS snippets. After each snippet it says "click here to copy to clipboard")
SamGoody  2009-05-17 18:31:54
@samgoody: desktop applications like Word are fundamentally different than web applications... You choose to install Word, you choose to launch it, with the understanding that it has full access to your system. Web apps are assumed to live in the browser sandbox, with little little or no access to the system beyond it. The "sandboxed" nature of web apps is both a blessing and a curse for developers: while it can be very limiting, there's no need to convince users to trust you enough to install on their machine... anything hurting the perception that *visiting a website* is safe hurts everyone.
Shog9  2009-05-17 21:00:24
@Shog9 - "anything hurting the perception that *visiting a website* is safe hurts everyone." Good point. Though by that logic, we should be even more restrictive.From the flavor of the responses, I guess I'm the only one who thinks this is counterproductive, so I'd best hold my tongue.
SamGoody  2009-05-18 07:40:49
@Shog9 - On second thought: Ctrl+CVX is supported by Firefox.If that doesn't hurt the perception, why should a 'copy' button that they consciously press. In fact, when I try to explain to the clients how I can offer them to upload files but I can't offer them to copy from Word, they don't understand at all - it doesn't generate trust, it generates confusion.And, while access to the clipboard can be misused, as Ive written above, that isn't a reason not to offer it - just to evaluate the use case [real] vs the risk [remote - site bombs important data in clipboard.]
SamGoody  2009-05-18 08:10:58
@samgoody: How do you distinguish a conscious action in a Web page from a malicious script?
Mehrdad Afshari  2009-05-18 08:39:18
@samgoody: sure, there may be ways of implementing a limited version of the Copy command. Although, attempting to differentiate between a user's intentional actions and accidental clicks hasn't exactly been a perfect success for pop-up blockers. But more importantly, FF does provide a means of enabling access to the clipboard for trusted sites; someone really just needs to write a decent UI for it...
Shog9  2009-05-18 14:39:34
+3  A: 

Same reason site scripts can't just change your bookmarks or write out changes to local files: those belong to the user, and allowing scripts to modify them also allows malicious scripts to write out malicious content or erase valuable data.

Yes, we generally consider clipboard data to be "less important", in that it is transient. But it still belongs to the user, not whatever page happens to be open. Imagine a script that, out of some misguided hope to prevent copyright violation, cleared out your clipboard every 100 milliseconds! Or one that copied dangerous system commands, hoping that a small number of users would paste them into a terminal without double-checking first...

FWIW, as of version 10, Flash has also tightened up restrictions on modifying the clipboard: such modifications now must happen as a direct result of user interaction.

Shog9  2009-05-17 18:50:12
SamGoody  2009-05-18 07:37:31
You know, if you wrote one reply per comment, you'd have the space to flesh them out more... I'm starting to think this question was born out of a desire for you to rant more than any particular interest in seeing it answered.
Shog9  2009-05-18 14:21:24
A: 

I think the security issue is a site reading from the clipboard. A site could have a script that just passively reads each visitor's clipboard and saves the data. Without the knowledge of the user, the site could potentially gather email addresses, passwords, credit card numbers, social security numbers, etc.

 2009-07-23 16:51:57
Agreed. Flash therefore allows for data to be written to, but not read from, the clipboard. Flash's security model makes sense. Firefox/Webkit's, does not. My whole question was why not let data be written *to* the clipboard?
SamGoody  2009-07-23 19:40:29

related questions

Can not round trip html format to clipboard.
How to paste CSV data to Windows Clipboard with C#
Clipboard appears not to be working, and is inaccessible from code or windows
How can I get a script's output to be copied to the clipboard (windows)?
Getting name of file copied to clipboard from email attachment in VB.NET
How to place text in the clipboard so that it pastes as a table in Word?
How do I copy an image and text to the clipboard as one object?
How to get correctly-encoded HTML from the clipboard?
Copy and Modify selected text in different application.
Is it possible to read the clipboard in Firefox, Safari and Chrome using Javascript?
Webcam usage in C#
Tool to save a larger clipboard
How to perform a deep copy of an object not marked as serializable (in C#)?
Adding Text to Clipboard on Click of ListView Column Header - C#
How to tell if text on the windows clipboard is ISO 8859 or UTF-8 in C++ ?
How can I read raw (CF_HTML) clipboard data in a webpage or C#?
Windows clipboard CRLF/LF passing wrong for one user
Use clipboard from VBScript
Copy / Put text on the clipboard with FireFox, Safari and Chrome
Is it possible to send the contents of a text file to the clipboard from the command line in OS X?
Why can't I single-step Clipboard-code within the VS.NET debugger ?
CLIPBRD_E_CANT_OPEN error when setting the Clipboard from .NET
Get application name from Windows XP cut and paste?
How can I enable copy and paste between my host and VMware guest OS?
What is a good web-based Grid that accepts Excel clipboard data?