(no title)
fosefx | 3 years ago
In my example there was direct user interaction (clicking a context menu) but the service worker (background script) has no API to interact with the clipboard at all.
I guess my point is not that it's an easy thing to fix, but the fact that it looks like nobody at Google has thought about this before forcing everybody to migrate is concerning.
nightpool|3 years ago
Only if I give it access to the browsing origin in question, which Chrome has done a lot of work to limit and crack down on recently
> Mozilla requires a manual code review before allowing add-ons into the store because of this afaik.
This is unfortunately not actually true. They tried it for a while, but scrapped the idea after the review backlog got too unmanageable. Now all of the addons just say "This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing."
> In my example there was direct user interaction (clicking a context menu) but the service worker (background script) has no API to interact with the clipboard at all.
That makes sense—the limitation is just that nobody has built out the clipboard API in a way that it can register a context menu item as a transient activation and therefore allow access to the clipboard. This does sound like ultimately something that's possible to fix with the right plumbing, it just requires someone to take a look at it and hook up the right security plumbing.