Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clipboard stuff #887

Closed
Thorin-Oakenpants opened this issue Jan 29, 2020 · 4 comments
Closed

clipboard stuff #887

Thorin-Oakenpants opened this issue Jan 29, 2020 · 4 comments

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Jan 29, 2020
edited
Loading

2402: dom.event.clipboardevents.enabled

  • what is the threat model here
  • TB don't enforce it as false
  • IANAExpert but if it requires user interaction, then it could probably be inactive due to breakage: e.g AFAIK this breaks on wordpress sites (Facebook I don't care about)
  • what exactly can a site see when you onCopy/onCut (they can already tell you selected text) and onPaste (they can already read the contents of what you just pasted, right?) - i.e can it read any clipboard history?

2404: dom.allow_cut_copy

  • keep this as is until it's deprecated
  • but there's dom.events.asyncClipboard which controls the FF63+ Clipboard API : something about this replacing the document.execCommand() which is mentioned in 2404
  • also: what exactly is the threat model here as well
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Jan 29, 2020
Closed
@rusty-snake
Copy link
Contributor

https://blog.fefe.de/?ts=a34a94ac 🇩🇪
https://thejh.net/misc/website-terminal-copy-paste (PoC)
https://blog.fefe.de/?ts=a3486d5c 🇩🇪
https://bugzilla.mozilla.org/show_bug.cgi?id=1591698

@Thorin-Oakenpants
Copy link
Contributor Author

I don't see how 1591698 is a security or privacy or tracking issue - I'll scope the rest out later

@zdat
Copy link

zdat commented Feb 7, 2020
edited
Loading

2402: dom.event.clipboardevents.enabled set to false broke copy and paste on pretty much every site I used. Outlook and Twitter being 2 I remember.

I have it set to true because copying and pasting is too much hassle without it. Also, for me, it actually APPEARS that you ARE copying and pasting. The text is shown. But when you submit/send/save (etc.), whatever you copied and pasted isn't actually there!

Interested to see what you find about about this, because I have to set it to true for my daily use.

Thorin-Oakenpants added a commit that referenced this issue Apr 13, 2020
@Thorin-Oakenpants
2402: clipboardevents -> inactive, #887
d7c276b
@Thorin-Oakenpants
Copy link
Contributor Author

^^ I left the pref in but make it inactive

  • it's one of those prefs widely recommended on the web (e.g. PTIO for years, even us)
  • the information on it is relevant: especially the leak bug (which took about 5 edits to get correct)
  • it has a harden tag, but TBH I don't see any threat here (changing what you copy is not a threat: it's an annoyance)

As for the rest, IDF care anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Thorin-Oakenpants @rusty-snake @zdat