
Websites can change content inside a selection - void_nill
https://bugzilla.mozilla.org/show_bug.cgi?id=1591698
======
danShumway
How exactly would you block this behavior without getting rid of a substantial
portion of web functionality, even around simple document styling?

It's not a Javascript problem. To make it impossible, we'd need to get rid of
invisible spans. Text overflow can't be hidden. This means you can't display
extra text to screen readers, since that's invisible text. Also, non-system
fonts are right out, because they can contain invisible characters, or even be
remapped so that the wrong characters display.

The 'solutions' I'm seeing proposed on this issue are hacks. If this is a real
problem, the real answer is to just make the clipboard visible when you copy,
preferably on an OS level (since literally every format/platform that allows
bundling custom fonts is vulnerable to this, including PDFs).

Prefer security solutions that are simple and universally understandable,
rather than solutions that rely on adding a bunch of code to plug part of a
hole. Doing real-time analysis to figure out whether text is visible doesn't
fix the whole problem, and is highly error prone.

I think Mozilla is right to reject this. If you're coming up with hacks about
per-domain character recognition that will end up behind some kind of
permission prompt that users will click through without reading anyway...
that's a sign you haven't thought hard enough about what the problem is. When
something is written to the clipboard, just bring up a notification on-screen
and show the user what they copied, and give them the option to inspect/edit
it in more detail. The best thing is that's an OS-level mitigation, and not
another weird, buggy implementation detail that makes it harder to build or
inspect a web browser.

~~~
millstone
This highlights the tension between the web as publishing vs an application
platform. Publishers do not need programmatic clipboard access, but
applications do.

Metro is a publisher, and so ideally should just serve content. But the web is
ad-supported, and ordinary ads are non-economical (maybe?), so Metro is forced
into the application space. The browser gives them an inch and they take a
mile.

I wish browsers sliced along this line. You get to be an app or a document,
not both. Documents give up control but can play in more sandboxes. Apple News
does this, AMP is trying it but has other problems.

~~~
danShumway
The problem isn't Javascript in this case.

You can trivially execute this attack with CSS by adding invisible spans that
will be copied, but not rendered, and pseudo-elements that will be rendered
but won't be copied.

You can also trivially execute this attack by bundling a custom web font that
contains invisible characters and swapped glyphs.

I don't know what Apple's writing format is for Apple News, but AMP at least
does not block this attack. It's not necessarily even a web thing -- PDFs are
vulnerable to this attack, because they allow embedding custom fonts.

------
WA
This has been a "bug" for a long time with exactly the same behavior that is
described here. Copy&paste from a news article or a blog and have something
like "read more at <URL>" inserted.

It's also not Firefox-specific. Same behavior happens in Safari and Chrome.

But yeah, it makes total sense to point this out that hijacking the clipboard
is probably not a good idea and this might be a security issue.

------
rhn_mk1
I find the reasons not to mitigate this in any way short-sighted.

Disabling the copying of invisible text will not mitigate all the instances.
Disabling the modification via clipboard events won't either. Nor will
disabling the ability to see user's selection.

But each of them would cut off a lot of offenders already (defense in depth-
like), and each change in this direction would give credibility to the idea
that the expected behaviour is to copy what's visible. With all of them
implemented, it would become politically much more palatable to plug the last
holes and let copy-paste behave 100% as users expect.

~~~
ArchReaper
I think your suggestion would actually make things worse, because it would
cause more people to have a false sense of security when copying from a web
browser, which is exactly the problem in the first place.

The issue is not that the clipboard can be modified. The issue is that users
expect a clean copy when they copy from a website.

There are many valid uses for this, and there is not a strong enough argument
that this presents a real security issue that would necessitate disabling such
a widely-used feature.

~~~
uneekname
I respect and share your goal to educate users about what they should expect
from their browser/computer security-wise.

As someone with a (healthy?) distrust of the content I copy/paste, and would
never run code I copy/pasted without checking it first (one of the examples
given in the linked bug report thread), I would _still_ rather my browser only
copy the text that I visibly highlighted. It is annoying to edit content out
that I have carefully selected.

~~~
ArchReaper
>I would still rather my browser only copy the text that I visibly
highlighted. It is annoying to edit content out that I have carefully
selected.

Absolutely. But how do we solve that problem and still allow proper usage of
it? Removing this feature would break the copy ability of nearly every rich-
text-like web-based UI in existence, such as Google Sheets.

Personally, this feels more like something for an adblock-like addon.

~~~
NoodleIncident
The 10 sites that have a genuine reason to listen to selection events and
force you to copy invisible text can ask permission to do so, as suggested in
the thread.

~~~
ArchReaper
That still does not answer the question of "what are we asking permission
for?"

Why that is a hard question can be understood by reading through the
discussions in the OP.

------
scarygliders
Okay, I've read all the responses so far at time of writing.

Lots of technical solutions which would break the browser/site/web/whatever.

What I haven't seen is;

Why not, on highlighting text to copy, a small window pops up in one of the
corners of the browser, and whatever text would be copied to the clipboard, is
instead bunged into this window?

A sort of intermediate step as it were.

Then if you're satisfied that the content is what you want, hit some 'really
copy to clipboard' button. The window goes away, the text is copied to
clipboard.

A built-in text window. Because most people who use browsers aren;t going to
go to the bother of copying and pasting into a text editor (Notepad, Kwrite,
whatever) to vet the contents before pasting it wherever.

So make the intermediate step mandatory.

~~~
chatmasta
I would love this. Similarly, I often use the URL bar as a sort of pivot point
before pasting some bash command into my shell. It would be nice to have some
kind of intermediate scratch pad that is a temporary-unless-touched kind of
element, like what happens when you take a screenshot on macOS.

~~~
DrAwdeOccarim
Same! I always wondered if I was the only one. It's a great way to sanitize
text, especially when pasting into Powerpoint or Excel. Especially Excel
because once you paste something, that formatting does not go away with Ctrl-Z
(relevant comic
[https://i.imgur.com/pwXryVe.png](https://i.imgur.com/pwXryVe.png))

------
asah
A slightly more nuanced proposal:

1\. Detect the first time a site (domain? URL?) attempts to copy something
that's not visible. Algorithm TBD but we can start by warning too frequently.

2\. Ask the user if this is a trusted site and deny, allow once, allow always.
Users presumably select allow-always for apps like Google sheets.

3\. (advanced) detect if enough people over long enough time select allow-
always and then allow users to go with the herd. I'm talking 10+mm users not
10k, i.e. hard to cheat.

4\. (Advanced) option to see what's in the proposed copy buffer.

(Obviously this all assumes that publishing sites have web security measures
in place e.g. no raw HTML...)

~~~
ArchReaper
1\. As mentioned in the OP, there are numerous ways to add content to a copy
event, and 'not visible' is not a 'real thing' \- see discussion in the OP

2\. What are we asking the user? Permission to copy from the website?

3\. So we are adding a new 'permission' that users must accept to... copy from
the website? And that trustworthiness is based on how many other people click
'allow' on a permissions popup?

4\. You mean displaying what you just copied to the user, on copy? So the
browser would give you a popup with the content of what you copied every time
you copy anything?

I'm failing to see how any of your proposals solve the problems mentioned and
discussed in the OP.

~~~
nine_k
(2) A permission to copy something not rendered in the selection.

(4) To show a dialog showing the actual copied content if the content _does
not match_ the rendered visible content of the selection.

~~~
ArchReaper
Both of your answers assume there is a simple and easy way to identify what is
"visible on screen" \- which if you read through the OP, you will understand
that is not an achievable concept.

~~~
wvenable
The browser literally highlights the selection so that seems like a solved
problem.

I'm in favor of two-tier system where rich applications require permission for
enhanced clipboard events but the average site will just copy what is selected
without modification.

~~~
ArchReaper
>The browser literally highlights the selection so that seems like a solved
problem.

It's nowhere close to a solved problem, and is much more complex than this.
Give a read through the comments in the OP for a taste of why.

~~~
nine_k
I did; it sounded mostly hand-wavy.

Maybe there _are_ deep reasons why it's impossible, but they are not well
presented in the OP, unfortunately.

------
skibz
One of the people active in the thread concludes that:

> The right approach if you're worried about these vectors is: never paste
> things off internet sites you don't trust directly into your terminal.

I'd like to add that disabling JavaScript also seems like a sensible option,
unless that prevents the site from rendering, of course.

~~~
vbrandl
Disabling JS doesn't help in this case.

This post shows that it is possible to put unwanted text in your c&p buffer
without using JS: [http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

~~~
inetknght
Leading that page in Firefox reader mode seems harmless enough...

~~~
danShumway
Remembering to click a button that strips the fonts/CSS out every page I read
seems a lot harder to me than remembering to always paste into a blank
document before my terminal. Reader mode isn't even available for every site.

That being said, yes, stripping CSS, fonts, and Javascript would fix the
issue.

~~~
jwilk
You would also have to disable images, because they could hide text in the alt
attribute. (The reader mode doesn't to it for you.)

------
vezycash
Off topic: I've been wanting a:

'Exclude on this site,' 'Run on this site only' option for Firefox addons. A
site Whitelist / Blacklist menu for all Firefox addons.

It should be accessible from the toolbar, so I can click to restrict / allow
the current domain without needing to type (that's for the extension details
page).

This will be massive privacy help.

------
codezero
As someone who spent quite a while understanding the differences between
innerText and textContent between different browsers and browser versions, I
completely empathize with the POV that it's not just as simple as not letting
someone copy what isn't "visible." It's really hard to define visibility of
text in a simple straightforward way.

------
lilyball
> _Note that this is a horrible security issue. The newlines cause the text to
> be immediately executed if I pasted it into a command line window._

Modern terminals & shells guard against this. Modern *nix terminals emit
special "paste bracketing" codes around the pasted text, which the shell can
use to turn off handling of newline (such that you just get a multiline input
instead of executing text). I don't know about Windows but I would hope
Windows terminals have similar capabilities.

~~~
ByThyGrace
Hmm I'm concerned that zsh doesn't seem to do this by default.

~~~
lilyball
/bin/zsh (version 5.3) in Terminal.app on macOS 10.14.6 does.

------
Mathnerd314
There are some extensions that help, e.g.
[https://github.com/aaronraimist/DontFuckWithPaste](https://github.com/aaronraimist/DontFuckWithPaste).
It just allows you to paste, IIRC, not copy, but if someone was really annoyed
I guess they could make one for copying. And NoScript had some clickjacking
protection, but it hasn't been ported to the WebExtension yet.

Typically though these are done with third-party scripts and just blocking the
script is sufficient.

In this case it isn't so uBlock has a rule:
[https://www.reddit.com/r/uBlockOrigin/comments/7l54xr/metro_...](https://www.reddit.com/r/uBlockOrigin/comments/7l54xr/metro_copyjacking_filter/)

------
osamagirl69
Hasn't this been the expected behavior since the dawn of the web 2.0? Next he
is going to complain that websites can have a hyperlink that says example.com
but points to badexample.com! And worse yet, they can use js to hide their
tracks! (ie, google search click redirects)

~~~
pavel_lishin
> _Hasn 't this been the expected behavior since the dawn of the web 2.0?_

Expected for cheese-brained marketers who love to slap garbage into my
selections. Certainly not expected when I'm trying to discuss an article in
slack and comment on excerpts.

------
psykus
A grantable permission would be nice. "This site would like to modify your
clipboard"

~~~
Sohcahtoa82
As mentioned in many other comments, both here and in the link, sites don't
need to modify your clipboard to exploit this behavior. They can insert
invisible text inside the highlighted area when you select text, before you've
even hit Copy, and this hidden text will be copied.

------
jawns
If there really are technical reasons not to change this behavior, then
shaming sites that employ it to do bad things seems like a next-best solution.

Perhaps a browser extension that maintains a list of offenders and alerts the
user that the site injects bad things (including marketing and promotional
stuff) into copied text?

------
mikl
This is one of those cases where useful features for web applications (ie.
custom copy & paste logic) enables dark UI patterns for the web in general.
Neigh impossible to solve without breaking existing apps.

------
_bxg1
The challenge around issues like this, is that the informal separation between
"trusted" and "untrusted" software used to be formalized (by coincidence) as a
_technical_ distinction: software you installed to your computer could do
whatever it wanted, but you put more thought into whether or not to use it in
the first place than you do when you click a link.

Now that those cases are combined into a single technical platform, it's
difficult to tease them back apart when it comes to level of trust.

------
greggman2
changing this behavior will break many sites. slack, discourse, Gmail
chat/Hangouts , Facebook messenger, and I'm guessing discord etc.

Most chat sites seem to want their own emoji. Gmail replaces emoji with
Google's. Discourse claims to do it to make it consistent across devices and
they got angry when I asked for an option to disable the conversion and just
leave things plain text.

In order for all of these to work they have to let you select your chat
messages with their embedded images and then convert that back to utf8 if you
copy

~~~
pavel_lishin
> _changing this behavior will break many sites. slack, discourse, Gmail chat
> /Hangouts , Facebook messenger, and I'm guessing discord etc._

How will it break any of those sites?

If you mean that it won't copy-and-paste formatting, which is encoded in a
mark-down like syntax, then that's true - but most of the time when I copy
something on a website, the formatting there rarely makes it through to
another application (like any of the ones you mentioned) anyway, and most of
the time when it _does_ survive the journey, I silently curse and try to
remember what the "paste without formatting" hotkey is.

~~~
greggman2
since HN doesn't allow emoji I can't post an example. without this feature
what you copy in slack would be

    
    
        text <img src="happy.png"> text
    

instead of

    
    
        text (@) text
    

where (@) is actual utf8 emoji

same for vscode/Monaco where the editor adds a clickable color box for css
colors.

~~~
pavel_lishin
It'd be nice if browsers would copy an image's alt-attribute if you tried to
copy some text that included an image; that would solve the problem.

In any case, I would gladly give up the ability to copy-and-paste an emoji if
it meant never again seeing a long line trying to link me to some website just
because I had the audacity to copy three words from a news article.

------
InsomniacL
1) Remember the selection when the selection is made, if content changes
ignore until a re-selection is made or un-select when it changes. 2) for
hidden content, when selected display a permission box 2.1) permission box
states, "hidden content was selected but Chrome removed it, to allow hidden
content to be selected for this website click allow " [Allow] [Ignore]
obviously it needs finessing but it seems possible?

------
staeke2
I think a sensible ”solution” might be for OS vendors (usually not that
different from browser vendors) to continuously monitor the clipboard just
like anti-virus software is monitoring the file system for viruses. And block
access (or condition it with hard warning modal) on pasting flagged text.
Possibly allow pasting to same site without check.

------
boomlinde
I am glad to see this raised as a bug, even if the fix would be a huge
breaking change. It highlights one of many ways that growth of complexity and
API surface of the browser has become a serious security issue.

Maybe merging the concepts of a hypertext document layout system and an
application platform wasn't a good idea.

------
btschaegg
I'd just like to point out that I find the reflex of "I don't like the
comments here, so I lock the bug report down" rather misfortunate.

On the same note, I like to see how the discussions here look like a good
distributed brainstorming session instead (ignoring a couple of naysayers).

------
namanaggarwal
Not important though but the reporter says that they used ctrl+v to copy. Is
that right or a typo ?

~~~
grenoire
Likely a typo.

------
shujito
I'd disable javascript on the offending website (not web apps, but blogs, news
sites, or the likes) for anything JS related that causes annoyances, like
popups or unsolicited modals or alerts.

~~~
Someone1234
This can be done entirely with CSS or even HTML. Disabling JS only mitigates
this, it isn't a solution.

~~~
jakeogh
How can a page modify the selection without JS?

------
hamandcheese
The people most likely to be actually harmed by this are developers, right
(i.e. pasting in to a terminal)? And shouldn’t we of all people understand
that there isn’t much practical difference between opening a shady website,
and running a shady executable binary? And if pasting straight into your
terminal then there literally is no difference whatsoever.

Aside from shady websites, the other main attack vector would be, e.g., a XSS
vulnerability on Stack Overflow. And browser vendors do seem to take XSS very
seriously, and there are a number of ways to mitigate those.

Scummy news site injecting social links in to copied text? That to me sounds
like a people problem, not a software problem.

~~~
pjc50
> And shouldn’t we of all people understand that there isn’t much practical
> difference between opening a shady website, and running a shady executable
> binary?

But there is a big difference. This is almost the entire point of a browser, a
secure way of viewing data from outside our control?

------
adrr
Attacking shell seems to be an exploit that could maybe affect 1 out 50
people. Attack the url bar with "javascript:" and you can have XSS attack on
any site.

------
shmerl
When such fooling around happens, you can select, then do "view selection
source", then when source opens, already copy with Ctrl+C.

------
banger180
An alert that you did not copy what you think you copied would not be out of
place in my opinion.

~~~
netsharc
An OS window that flashes to show you what you just put in the clipboard would
make life easier. Or a keyboard shortcut to show that content. Besides, it
seems like the clipboard could use a redesign, the OS default has always been
a stack of 1, unless you install a 3rd party tool to manage it.

------
uptown
Wait till people find out what Facebook does with the device clipboard.

------
ArchReaper
Why is this being posted? This "issue" has existed for a long, long time, and
it is not specific to any single browser.

~~~
netsharc
The bug poster is a well known German tech blogger (blog.fefe.de , in German),
so maybe that's why it's gained traction.

He also whined on his blog that saying "it's what expected abd that's how it
works on every browser" is bullshit, Firefox was the 1st browser that e.g.
implemented popup blocker, which obviously breaks the "expected" functionality
of window.open; or blocking 3rd party cookie also isn't according to the spec
of how cookies work.

