
The Curious Case of Copy and Paste - pjf
https://research.securitum.com/the-curious-case-of-copy-paste/
======
nullc
The related issue most irritating for me is that google search makes the URL
hover claim one destination but when you click the click itself rewrites the
URL to funnel through their tracking service.

This is an extremely dangerous attack vector which google is abusing to
compromise user privacy (but fortunately, not worse). There was a firefox bug
open on this for years but it seems like Mozilla really didn't want to break
their big sponsor's analytics. (
[https://bugzilla.mozilla.org/show_bug.cgi?id=229050](https://bugzilla.mozilla.org/show_bug.cgi?id=229050)
)

I find it extremely annoying because I often search for PDFs to answer
questions for people and if I click the link it pops up in an external viewer
and I get no opportunity to copy a url. Unfortunately the right-click to copy
also triggers the onclick handler to add the google tracking spam, causing me
to copy an extremely long and chat-unfriendly URL.

~~~
saagarjha
(DuckDuckGo doesn’t do this, which is one of the minor reasons why I use it.)

~~~
lapcatsoftware
I recently discovered that DDG does clickjacking too, albeit in a different
way. My blog post:
[https://lapcatsoftware.com/articles/duckduckgo.html](https://lapcatsoftware.com/articles/duckduckgo.html)

~~~
saagarjha
Oh, that’s interesting. I wonder if this is intentional?

~~~
lapcatsoftware
Yes, their JavaScript is checking whether you clicked an ad, clicked a DDG
internal URL, etc.

------
pjc50
The ability of Javascript to alter the "copy" contents is, like the ability to
disable zoom, something that's nearly always used against the user and the
usability and accessibility of the site. Such as appending disclaimers and
copyright notices to strings.

~~~
elpescado
The problem is that the same medium (HTML) is used for "documents" and
"applications". Programmatic access to clipboard, zoom etc is legitimate for
"HTML applications" like Google Docs/Maps but unnecessary for "HTML
documents", along with virtually all scripting.

~~~
pjc50
I'd quite like to see a three-way partition between "dumb document" (DOM
frozen after load, possibly no processing at all), "smart document" (DOM APIs
only, possibly plus classical HTML form submission), and "actual application".
Ideally with a way of telling which is which _before_ loading it. I don't
realistically expect this to happen.

The stupid thing about AMP is that it's trying to push sites back into the
"document" box, but only so that they can be monetized more effectively by
Google...

~~~
divbzero
It would be great if this could be enforced with browser permissions.

 _Allow Gmail to run as an application in your browser?_

[ _Deny_ ] [ _Allow_ ] [ _Always Allow_ ]

------
davidgerard
Copy and paste in browsers is a horrible mess, as LibreOffice is finding out
with its web version: [https://people.gnome.org/~michael/data/2019-09-12-copy-
paste...](https://people.gnome.org/~michael/data/2019-09-12-copy-paste.pdf)

~~~
gcbw3
Heh. this reminded me some libreoffice bugs i track. One is to have plain text
copy paste be the default. The other is to completely disable selected text
dragging.

There's a large number of people who likes both of these features. Go figure.

------
autocorr
It's tangential to the article, but I've found it's been really helpful to
have dedicated copy and paste buttons on the left hand. On Linux the highlight
and middle click is nice, but not every application can be selected (like
split windows in tmux) and the buffers don't always match between applications
(like Firefox and something else). But I've found Ctrl+Insert and Shift+Insert
works practically without fail everywhere. I have a programmable keyboard so
made macros for those two commands and mapped them to keys on the non-mouse
hand (extra thumb keys on an ergodox, not bad to lift the hand a little to
reach them). Works great! For something so universal as copying text it would
make sense to have dedicated keys for them on many keyboards, like volume up
or down.

------
securitymb
Hey, I'm the author of the write-up. Nice to see my research here!

If you have any questions, please let me know.

------
divbzero
Great write-up. Reminds me of different copy-paste concerns that persist in
other platforms. [1]

[1]:
[https://news.ycombinator.com/item?id=22569662](https://news.ycombinator.com/item?id=22569662)

------
andrewstuart
All keyboards should have cut/copy/paste buttons under the delete/end/pgdn
row.

~~~
spupy
On Linux: Control+Insert/Shift+Insert for copy/paste

------
mattigames
In a barely related subject, does anybody knows a good clipboard manager (e.g.
multiple copy + paste) for mac that supports both text and images? (like Ditto
on Windows)

~~~
oxfeed65261
For Windows, Thornsoft Clipmate is very powerful and one of my must-have
utilities, despite its lack of recent updates.
[http://thornsoft.com/](http://thornsoft.com/)

