Don't fuck with paste

By disabling user input the application security actually gets worse. Users that can’t copy e.g. passwords will use less complex passwords to overcome the trouble of typing in their initially good passwords. But also user experience is degrading when applications enforce complex input and users generate that input like a chad as they should. But now they cannot paste…

> In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs. In order for the extension to know about that event, it needs the tabs permission, which Chrome describes as "can read and change all your data on websites you visit." That description is very scary, and is certainly not what this extension is doing. Being an open-sourced project, you can always read all the code to see how this extension works, and what it's [not] doing with your data.

The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)

To work around this I usually drag and drop text pasted into the URL field or somewhere, on my Mac at least.

Can I just say though that disabling paste, apparently in the name of security, is the dumbest shit I have ever encountered, right in front of ultra short timeouts everywhere.

If only I could meet the people who make these decisions in person...

I use Hammerspoon for Mac, have a shortcut set up for Cmd+Shift+V to actually type the letters rather than use the paste function. Works every time someone pulls this stunt.

> hs.hotkey.bind({"cmd", "shift"}, "V", function() hs.eventtap.keyStrokes(hs.pasteboard.getContents()) end)

    -- https://news.ycombinator.com/item?id=39640745
    hs.hotkey.bind({"cmd", "alt"}, "V", function()
      hs.eventtap.keyStrokes(hs.pasteboard.getContents())
    end)

You shouldn't need to trust an addon for this, it's something you should be able to set in the browser.

In firefox you can toggle dom.event.clipboardevents.enabled

I welcome this extension as I, too, hate when sites prevent me from pasting (eg. to confirm my account and routing number, email address, etc). It fucks with my password manager and of course it's annoying when intricate password rules are implemented to counter the use of weak passwords. BUT. Yeah there's always a but.

But. I have implemented these exact security measures into web applications. I've been handed the requirements and I implemented them. I asked my client why we had to do this, when "everyone" knows that this stuff is terrible user-experience and can backfire spectacularly for security (the same people who would memorize a shitty password and use it everywhere, will now write their expiring, "strong", impossible-to-remember password on a sticky note or save it to a text file or spreadsheet called 'passwords.txt' on their Desktop). The answer is: we have to, for compliance. To pass a security audit. To prove to some major client or insurance company that we have a number of industry-standard measures in place to improve security. Unfortunately, your bank does not care about the 2% of us using password managers. Everyone else is still memorizing passwords, forgetting them, and making jokes about it like it's 2003.

This[1] alternative bookmarklet was posted here a while back.

[1]: https://bookmarkl.ink/ashtonmeuser/6e3869d8e468e016f22a4b4de...

In case of not being able to past I normally right click -> inspect element and in the console write $0.value="value from clipboard". Works almost everywhere.

Tampering with paste is kinda is like turning of autofill and the HTML5 standard is pretty clear when it should only be turned of: ".. particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) ..."

Right up there with hijacking Ctrl-F.

Anyone one else noticed OP got 399 upvotes for sharing a fork with no significant upgrades compared to the original repo?

This was one of those things that frustrated me so much that we ended building this natively into Orion browser (Tools menu -> Allow Copy & Paste). [1]

One of the joys of building your own browser.

[1] https://kagi.com/orion

For something simple like this that doesn't really need to be on all the time I've started leaning back towards bookmarklets over extensions. The code is usually simple enough to actually audit, it only runs when you click the bookmarklet, and it doesn't update underneath you without warning.

A few months back someone shared several bookmarklets that they use, one of which was a simple one that disables all clipboard events on the open tab:

https://news.ycombinator.com/item?id=38014653

For Safari you can get Don't Fuck with Paste (and lots of other Don't Fuck with X options) with the Stop The Madness extension.

https://underpassapp.com/StopTheMadness/

This really irks me to no end with password managers in particular. I like to generate 30 character random passwords and sites that limit input or block paste in the verify field are particularly annoying.

Similar for login and 2FA entry fields. There's no good reason for it.

I've often gone an extra bit to ensure password managers work well. I wish more sites would do the same.

There is one thing I hate more. Its having my cursor moved to another application as I am typing out a password in a field. I've literally had to change a password after it suddenly got sent out in a google search when I wasn't paying attention.

Merging the bookmarklet version of the upstream addon this one is forked from [1] and another bookmarklet that has been posted in comments here [2], I got to this:

    javascript:['copy','cut','paste','contextmenu','selectstart'].forEach(e=>document.addEventListener(e,e=>e.stopImmediatePropagation(),true));

Right now I cannot think of any page that inhibits pasting, what is a good candidate to test this out?

[1]: https://github.com/jswanner/DontF-WithPaste?tab=readme-ov-fi...

[2]: https://bookmarkl.ink/ashtonmeuser/6e3869d8e468e016f22a4b4de...

Used to be simple to workaround this with basic web APIs (el.value = 'whateverIwant'), until this newfangled web framework from Facebook broke the web.

How about an extension that STOPS websites from NOT letting me right-click. When a site forceS me to go through the stupid Chrome menu to laboriously drill down and find Developer Tools manually I want to throw it out the window.

100% in agreement with regaining paste. Another workaround is to create a macro that will "type" the clipboard contents, simulating typing it out by hand.

On macOS you can do this via Keyboard Maestro [1]. Create a macro with the action "Insert text by typing" and for the text to insert use `%PastClipboard%0%`.

Yes, very niche, but I'm sure some HN users already use Keyboard Maestro.

[1]: https://www.keyboardmaestro.com/main/

Firefox has some about:config settings for this:

* dom.event.clipboardevents.enabled

* dom.allow_cut_copy

And also, the ability to force a paste as plaintext or force right-clicks to behave properly by using shift.