
Flash-Free Clipboard for the Web - smacktoward
https://hacks.mozilla.org/2015/09/flash-free-clipboard-for-the-web/
======
Raed667
I really appreciate this, as I had to jump through a lot of loops to do so a
few years ago. But I think that the browser should display a small alert when
this API is called (like the webcam, or microphone).

~~~
steveklabnik

      > Google Chrome and Internet Explorer both also support this API. Chrome uses
      > the same restriction as Firefox (that it must be run in a user-initiated
      > callback). Internet Explorer allows it to be called at any time, except it
      > first prompts the user with a dialog, asking for permission to access the
      > clipboard.
    

Seems like IE does what you want.

~~~
hobarrera
> Seems like IE does what you want.

It makes me feel very confused that this is actually true.

------
zserge
I was so disappointed that every color picker website nowadays uses
flash/zeroclipboard to only copy HEX color value (6 letters!). It's so slow
and inefficient. I ended up making my own one using this clipboard API -
[http://0xrgb.com](http://0xrgb.com)

Glad to see that FF now supports this API, too!

~~~
ck2
Yup it wipes out whatever important info I was saving in my clipboard without
warning me what-so-ever

I guess I could put a megabytes into anyone's clipboard now when they click on
any link on a website.

~~~
anjanb
No, you can't do that. from the mozilla link, "Google Chrome and Internet
Explorer both also support this API. Chrome uses the same restriction as
Firefox (that it must be run in a user-initiated callback). Internet Explorer
allows it to be called at any time, except it first prompts the user with a
dialog, asking for permission to access the clipboard."

~~~
MichaelGG
Clicking a link is a user-initiated callback. So yes, he can do exactly that.
I wonder if mouse move is also user-initiated.

------
tyho
I prefer

    
    
        window.prompt("Press Ctrl-C then Enter", text);
    

I don't want sites to be able to randomly clear my clipboard.

~~~
lukifer
I consider it an OS-level deficiency that clipboard copy is destructive by
default. The fact that no major OS has multi-clipboard out of the box in 2015
is shameful.

~~~
tomphoolery
Even with multiple registers in Vim, I still can't get my mind to think that
way. I just link everything with the system clipboard because it's easier to
deal with. How do you comprehend all of that hidden information in memory? To
me, it seems like a useful feature if you do or can use it, but for most users
it's just extra complexity.

~~~
tyho
Even worse with vim is there are operations like delete which push to the
register stack without you intending it, it makes it really difficult to keep
track of where your stuff is without looking.

------
moron4hire
I make a text editor that runs in a texture on a 3D object in the browser. I
have a text area hidden in the background that technically holds focus and all
clipboard operations go through it.

I was hoping this would let me get rid of that crufty text area. It's a
serious quality and performance liability, and in certain special cases even
ruins the UX. But it looks like that is not the case. Le sigh.

------
ihuman
_The execCommand( "cut"/"copy") API is only available during a user-triggered
callback, such as a click. If you try to call it at a different time,
execCommand will return false, meaning that the command failed to execute._

Couldn't you bypass this by creating an invisible button, and then simulating
a click event?

~~~
mschuster91
The engine can walk up the call stack and detect if the command was triggered
by a click event.

~~~
joosters
There will always be a way to hide / obfuscate the action, making it seem to
the browser that it was user-initiated.

I guess Mozilla have weighed up the convenience/security balance of browser
control of the clipboard, and have put in a minimal protection scheme to make
it clear that code _should not_ play with it behind the user's back, but
Mozilla knows that they can't really stop it.

~~~
TazeTSchnitzel
> There will always be a way to hide / obfuscate the action, making it seem to
> the browser that it was user-initiated.

How? This security mechanism has been used for (among other things) popups for
years now, and the only way it's been worked around is by attaching click
handlers to links the user is likely to click.

~~~
joosters
Pop ups still occur, even on legitimate sites. Tripadvisor creates a pop-under
when you click on a search result, for instance.

Basically, the user will click something at some point, the page can then
unexpectedly put malicious stuff into the clipboard. No amount of protecting
will stop this.

~~~
IshKebab
That's exactly what he just said.

------
ck2
Can't this be used to poison the clipboard with bad code that once pasted in
the wrong place will execute?

~~~
Vexs
Just as much as the existing flash-based methods can.

~~~
ck2
Well I haven't used flash in years.

But Mozilla just re-enabled this exploit and I don't think it can be turned
off.

~~~
mystor
There is a preference to disable the feature: dom.allow_cut_copy

------
ibrad
Thank you developers and all, but I don't think I had much trouble copying
text before. On the contrary, when I click on a field and it force select
everything for me I get frustrated.

Trust me, selecting text is not a problem. I haven't seen a place where click
to select was a life savior.

