I am surprised that Firefox freely allows access to the clipboard. I'm using Brave and there's an explicit permission for it that is disallowed by default.
There are guardrails around access to the clipboard (and the post talks about the circumstances around it) but this exploit takes advantage of the fact that simply selecting text on X11 puts it in the primary selection buffer. The code just tells Firefox to select the text.
Not that it matters, but it does not really put it into a buffer at least not in the sense that there is a place within X11 that is storing your selection. I think that when you paste the primary selection. X11 directs your application to the application that last selected something and you ask it for the selected bit in a specific (usually text) format.
More on topic, this works fine within the trusted green zone of local desktop applications. but the browser is(or should be) a high security zone. with a really tricky security policy. which to paraphrase would be "Allow passing information to the rest of the os. but only as a result of a direct user request." You don't really want to disallow the browser to script selecting anything, this is useful for editors. but you probably want to maintain a flag on that selection as to if it was done by the user or not.
Well there is my useless pedantry for the day done. My apologies and thank you for letting me get that off my chest.
I boggled over this particular obvious problem for years.
But I don't recall Firefox ever being hardcore security and privacy (even though some of their techies are). For Mozilla, that's a fairly recent positioning that they're growing into.
Initially, there was competition to be the most popular browser.
But most of the history is a constant movement towards having the browser facilitate what companies wanted to do towards users (moving away from the "user agent" as an agent of the user).
In parallel, Google paying Mozilla for placement, and then possibly to keep a nominal competitor alive.
In recent years, Mozilla has been positioning itself as one of the champions for Internet freedom, and I assume that some of their people were that all along (e.g., the kind who could've gone to Google, but chose to work for much less money at Mozilla). Though I don't know how genuine that sentiment is from the top, when leadership draws huge compensation, for poor performance, while laying off techies. (Techies traditionally have lead Internet freedom, from the ground, up, and leadership might be better thought of as a humble support system for that.)
I am using Brave on Linux where I do all my work as well that might by why "copy to CB" on websites do not work for me anymore. I think they did. But there is nothing asking me for permission or anything. I recently was on a website where it just did not work and I needed to manually copy pasta.
polpo|2 years ago
somat|2 years ago
More on topic, this works fine within the trusted green zone of local desktop applications. but the browser is(or should be) a high security zone. with a really tricky security policy. which to paraphrase would be "Allow passing information to the rest of the os. but only as a result of a direct user request." You don't really want to disallow the browser to script selecting anything, this is useful for editors. but you probably want to maintain a flag on that selection as to if it was done by the user or not.
Well there is my useless pedantry for the day done. My apologies and thank you for letting me get that off my chest.
neilv|2 years ago
But I don't recall Firefox ever being hardcore security and privacy (even though some of their techies are). For Mozilla, that's a fairly recent positioning that they're growing into.
Initially, there was competition to be the most popular browser.
But most of the history is a constant movement towards having the browser facilitate what companies wanted to do towards users (moving away from the "user agent" as an agent of the user).
In parallel, Google paying Mozilla for placement, and then possibly to keep a nominal competitor alive.
In recent years, Mozilla has been positioning itself as one of the champions for Internet freedom, and I assume that some of their people were that all along (e.g., the kind who could've gone to Google, but chose to work for much less money at Mozilla). Though I don't know how genuine that sentiment is from the top, when leadership draws huge compensation, for poor performance, while laying off techies. (Techies traditionally have lead Internet freedom, from the ground, up, and leadership might be better thought of as a humble support system for that.)
redder23|2 years ago
5e92cb50239222b|2 years ago