top | item 32616452

(no title)

Disclaimer: I am a Chrome developer, who formerly worked on the clipboard.

For a long time, Chrome did not allow pages on the open web to use document.execCommand('copy') or document.execCommand('cut'), and there was a fairly steady stream of requests from web developers to enable this. Eventually, Chrome did expose this gated behind a user gesture: https://chromestatus.com/feature/5223997243392000

> So instead of changing their new tab page to require a gesture like all other sites... they decided to allow any website to copy text into the clipboard. Nice.

Ownership of the clipboard features has moved around a bit, and sometimes historical context around things like the user gesture requirement are lost. Here, the NTP doesn't actually need this to work without a user gesture. The correct fix here is to fix the NTP tests to correctly simulate a user gesture, not to allow writing to the clipboard without a user gesture.

> I think copying into the clipboard needs an overhaul—even with a gesture. Don't you hate when news sites add a "- from XYZ" to your clipboard? That shouldn't be possible. I'm not sure how you'd fix this, but it should be fixed.

This is a difficult problem to fix. There are absolutely websites that abuse this. But there are also pages that do use the legacy clipboard API events in non-abusive ways (e.g. rich text editors), and blocking this outright would break legitimate uses as well.

Maybe something like a "copy as plain text" option would make sense...

discuss

dotancohen|3 years ago

  > Maybe something like a "copy as plain text" option would make sense

That's ask I _ever_ want. I never want to copy rich text. I even have a background script that removes formatting from the clipboard every second, to make copying less frustrating.

Hide it in some hidden flag or something, but please, make plain text copying an option!

jhugo|3 years ago

Right? I think, in 25+ years of computing, I have never once wanted to paste rich text. Ever. I just want to paste the text! Yet every time, I have to either fumble for the "paste and match style" key combo, or fix things afterwards.

rav|3 years ago

Don't most apps allow you to paste plain text with Ctrl+Shift+V nowadays? That's what I almost always use, unless I have some use for the copied rich text.

hosteur|3 years ago

Great idea with such a script. Do you want to share it?

lupire|3 years ago

> Hide it in some hidden flag

Google is deeply philosophically opposed to doing that. Power users are a distraction from the billions of normal users.

majou|3 years ago

macOS has "paste as plaintext" instead.

lupire|3 years ago

All we need is "copy without running JavaScript". Just look at what is actually rendered, and copy that. And it should be the default.

userbinator|3 years ago

Why do you call it a "user gesture" and not "consent" as it should absolutely be? Is it to reinforce the notion that users' actions are only to be taken as mere suggestions and ignored if they are contrary to your goals?

samwillis|3 years ago

"user gesture" and "consent" are two completely different things.

Currently (until this bug) it’s supposed to trace back the call stack to the event that triggered it, and only allow it if the triggering event is something like a click. That’s what’s meant by “user gesture”, the opposite of code triggering it independently of the user.

“Consent” would be a positive acceptance in a browser controlled message box asking for permission to use the clipboard.

Most people agree that for copying to the clipboard the first is all that’s needed (there isn’t really a security concern here), for pasting from the clipboard the later is always required.

PoignardAzur|3 years ago

> Is it to reinforce the notion that users' actions are only to be taken as mere suggestions and ignored if they are contrary to your goals?

Wow, rude.

One possible answer to your question: there is no way for a browser to detect "consent", which is a subtle and nuanced concept, but user gestures have a hard and fast definition, so that's the proxy they use.