
Don't touch my clipboard - otras
https://alexanderell.is/posts/taking-over-my-clipboard/
======
stefco_
It's not just a browser thing. Apple Books does this with their e-books, which
is _infuriating_ if you're working with a coding book and just want to copy-
paste stuff into your editor/terminal. You get something like:

    
    
        “ghci> putStrLn (pretty 10 value)”
    
        Excerpt From: Bryan O’Sullivan, John Goerzen, and Donald Bruce Stewart. “Real World Haskell.” Apple Books. 
    

When you only copied:

    
    
        ghci> putStrLn (pretty 10 value)
    

Note that the quotes around your actual selection aren't even the ASCII quote
character; you get horrid unicode quotes that are easy to miss if you're just
trying to run a bit of code in your REPL. This isn't even a DRM ebook, so it's
not like Apple is being compelled by contract to insert a citation. It's
awful, user-hostile behavior that removes one of the main advantages of
digital-vs-hardcopy coding books (copy/paste), and AFAIK there's no config
that lets you disable it.

~~~
belltaco
Wonder if an author will rename themself sudo rm -rf / with the proper escape
codes.

~~~
sundvor
Bobby wants his tables back!

~~~
numlock86
Legend has it that all data related to little Bobby Tables has been lost.

------
smichel17
The wrongest thing about this, from my perspective, is that my browser fires
off a js 'copy' event when I press control-c. There are times when I've found
it helpful that a browser can copy text to my clipboard when I click a button,
but I can't think of a single time when I want a site to react to my attempt
to copy text off if it.

Is there any way to configure my user agent (Firefox) not to do this? A hack
is ok.

~~~
cortesoft
I think the wrongest thing is that this is a clear attack vector... make a
site with helpful Linux shortcuts, then replace every copy with "curl
malicious script and run it, plus a newline to make it run immediately"

~~~
oefrha
> plus a newline to make it run immediately

I already mentioned this in another comment, but everyone should enable
bracket paste mode in their shell to defend against this.

[https://cirw.in/blog/bracketed-paste](https://cirw.in/blog/bracketed-paste)

~~~
umvi
I always just type "#" first before pasting... That way it is just a comment I
can inspect before running

~~~
hackmiester
Here, paste this into your terminal:

    
    
        echo "hello"
        echo "lol" ; sudo sl -rf /
    

(In case it's not obvious, the # trick will not help you.)

~~~
jtbayly
So... don’t paste it in my terminal?

~~~
hackmiester
heh, yes. Admittedly, immediately after posting, I did change it from 'rm',
which would not be a good idea to run, to 'sl', which ... well, try it (or
`man sl`), it's fun.

------
actionowl
The last sentence of the article is the absolute best:

> Ironically, a little reverse searching reveals that this code was copied
> verbatim without attribution from this StackOverflow post (see “Manipulating
> the selection” from the top answer). Maybe copy/paste isn’t so bad?

------
cutchin
This happened to me recently and it was pretty embarassing - I copied a two
paragraph snippet from a psychology paper and the website put an ad for CBD
oil in my clipboard above the paragraphs.

The segment I copied was just long enough that it overflowed my chat window so
I had no idea the insertion was even there and I sent it as-is.

The recipient called me about two minutes later and said "hey, I think you've
been hacked - you just sent me a CBD oil advertisement."

So yeah, I'd love to see user agents address this. If I push a copy button
(like github's clone repo button) then fine, I'm at the mercy of their
javascript. But if I copy via ctrl-C or a right click menu, it should not not
let the page interfere.

~~~
millstone
That's kind of hilarious actually.

This highlights the tension between the document-web and the app-web. What if
the page is an image editor, word processor, spreadsheet? These app-web pages
need custom logic for copy and paste. Unfortunately, bad actors (like what you
found) ensure browsers cannot implement this stuff properly, because every
feature is now a way to shove a new ad in.

~~~
chrisweekly
>"the tension between the document-web and the app-web"

This is a huge factor in debates about things like the merits of CSS-in-JS, or
the tradeoffs in "JAMstack" architecture. Pick any polarizing facet of web
development and odds are you'll find this tension at the heart of the opposing
perspectives.

~~~
frosted-flakes
And it's not black/white either. It's a spectrum. There are plain HTML
documents on one hand, and highly dynamic applications like Figma or Google
Sheets on the other hand, but in between are interactive documents and
anything you can think of.

So these features are here to stay.

------
danso
This hijacking “feature” that’s been a part of news and other proprietary
content sites for more than a decade now:

[https://moz.com/ugc/copymagicpaste-a-script-and-
easytousegui...](https://moz.com/ugc/copymagicpaste-a-script-and-
easytouseguide-to-customize-the-copyevent-on-your-website)

Anecdotally speaking, I’ve seen it a lot less these days; mostly, I see it
when copy-pasting from my Kindle app. I’ve rarely ever seen it for a site this
general-purpose (and trivial) though

~~~
smacktoward
It’s been around for so long a clipboard-jacking-as-a-service company, Tynt
([https://www.crunchbase.com/organization/tynt](https://www.crunchbase.com/organization/tynt)),
launched, lived and exited.

If telling people not to do this was going to be enough to solve the problem,
we wouldn’t still be talking about it. The browser vendors really need to shut
it off once and for all.

~~~
saagarjha
And they have 100-250 employees?!

~~~
adtac
I'm sure most of it was just keeping wit the latest JS standard

------
jiggawatts
I can read & write a language that I don't have a keyboard for (I use a
standard US 101 key layout), so I work around this by cut & pasting single
characters around to fix up the missing accent characters. Usually even a
partially fixed word is enough for the spell checker to kick in and correct
the rest, making this surprisingly fast.

The thing that annoyed me recently is that if I cut & paste a single character
in Google Mail, it'll "helpfully" surround it with spaces when pasted. Other
applications like Firefox or MS Word don't have this behaviour.

I just tested it, and the GMail behaviour is wonderfully inconsistent:

Copying from GMail to to plain text (e.g.: a text editor) will result in a
single character.

Copying from plain text into GMail will result in no superfluous spaces.

Copying from GMail to GMail or to any "rich text" editor will add the extra
spaces.

So basically I'm copying plain-text, but GMail is abusing rich-text formatting
to add "magic" behaviour someone at Google assumed is beneficial, but is just
confusing and arbitrary.

PS: Similarly, GMail's spell checker now "fights" with the Firefox
spellchecker and the result is that neither wins and obvious typos aren't
resolved unless I turn checking off and back on a couple of times.

~~~
bmn__
> I work around this by cut & pasting single characters around to fix up the
> missing accent characters.

Let me save you some time in the future. You did not identify the OS and
language/script you have trouble with, so my answer has to be kinda generic.

First have a look whether your OS keyboard settings or a third party provides
an en_US-101 compatible logical layout that adds more accented characters
(typically accessed with right Alt¹) or extra modifier keys² (in addition to
acute, grave, tilde), then install it and memorise the characters you need.
Oftentimes, this is easy because it's mnemonic, e.g.

    
    
        AltGr+l → ł
        AltGr+d → ð
        AltGr+o → ø
        dead_tilde N → Ñ
        dead_double_acute o → ő
        dead_circumflex dead_hook O → Ổ
    

If that's not sufficient or too cumbersome, look into compose key³. That
system is user extensible, more powerful because it provides not just accented
characters, and to the most part has better mnemonics; e.g.:

    
    
        compose U G → Ğ
        compose " y → ÿ
        compose a e → æ
        compose t , → ț
        compose v z → ž
        compose I . → İ
        compose u o → ů
        compose c | → ¢
        compose . . → …
    

¹ [http://enwp.org/AltGr_key](http://enwp.org/AltGr_key) ²
[http://enwp.org/Dead_key](http://enwp.org/Dead_key) ³
[http://enwp.org/Compose_key](http://enwp.org/Compose_key)

~~~
lvh
It seems strange that compose u o → ů is u-with-circle-on-top, but compose U G
→ Ğ is G-with-u-on-top, since it means it's sometimes modifier-first and
sometimes base-first.

(FWIW I use the compose key! Just not those particular characters, my set is
incidentally consistent :-))

~~~
bmn__
Order does not matter with compose, that also makes it more user friendly than
dead keys.

The modifiers' proper names are "ring above" and "breve".

~~~
lvh
Whoa, thanks! I've used the compose key for a long time (I'm an amateur Polish
speaker who also occasionally writes French) and I never realized it was
order-insensitive!

~~~
account42
It's oder-sensitive under X11 but many of the the default combinations are
duplicated with the reverse order.

------
sleavey
Furthermore don't touch my ability to paste into web forms. Some banks do
this, and I have no idea why (some incredibly misguided idea of security?). I
disabled the ability for websites to disable pasting using Firefox's
about:config, but 99.9% of users won't know they can do this.

~~~
Moeancurly
> I disabled the ability for websites to disable pasting using Firefox's
> about:config, but 99.9% of users won't know they can do this.

Have you encountered any unintended consequences from disabling this?

~~~
reciprocity
The consequences of dom.event.clipboardevents.enabled;false mostly results in
errors of functionality with WordPress, Google Docs, and Facebook (but I
suspect FB has other motivations/reasons for this). You might encounter errors
with other WYSIWYG editors, but for the most part, it's a nice optional
feature to have control over.

------
skrebbel
Just want to share that there's also good reasons for employing this
technique.

Eg if you select text in Slack that has emojis or formatting, it tries to put
plain-text into the clipboard that would _produce_ said emojis and formatting
when pasted back into Slack. This is great, and every chat app does does
formatted stuff should do this.

I'd hate it if browser vendors would attempt to block this and as a result,
break that kind of functionality too.

~~~
brianpan
Except that your example is only “great” because Slack is reimplementing text
input- _another_ thing that maybe should just be handled by the system.

Is it great that Slack also has its own autocorrect and doesn’t know about the
system autocorrect?

~~~
skrebbel
I'm not sure how autocorrect is related.

How would you let text input with emojis and formatting and code blocks be
"handled by the system"? I agree that on most platforms, emojis are a solved
problem (although the UX could be better), but the rest isn't.

Sure, like all chat apps, what Slack does is a workaround around system
limitations. But the limitations are there, and they need the "copy" event to
make their hack work end to end.

------
Nicksil
I agree and share the frustration.

A stock Apple application "Books" does something similar as well. When copying
text -- using keyboard shortcut or the context menu rendered as soon as you
lift your mouse (another tragedy) -- your clipboard will look something like
the following (2 lines):

“<what you actually wanted to copy>”

Excerpt From: <Author>. “<Title>.” Apple Books.

That gets written to your clipboard; quotes and everything.

~~~
jerrysievert
as does the kindle app. it's come in handy once for me (in a comment to a hn
post, ironically), but usually it's a nuisance.

~~~
eitland
I loved it when I used Windows and OneNote (it would add metadata when I
pasted to OneNote but not otherwise.)

~~~
iudqnolq
I think the windows clipboard can hold that as metadata. OneNote had a setting
that I could enable so that when I pasted from Edge into OneNote the url was
appended, but the url wouldn't show up if I pasted into another rich text
editor like Word (or OneNote without the setting enabled).

Using org mode now, and there's probably a way to do it with emacs lisp,
but... I'll never get around to it.

~~~
kevingadd
The Windows clipboard has a model where the clipboard contains an abstract
'data object' which exposes a list of supported formats, then you request
formats individually. So a given piece of data could expose (not literally
this, but the equivalent) text/plain, text/html, image/png, $my_custom_format
and then when an application requests a given format it's generated on demand.

This mostly gets used for scenarios where you're pasting into notepad vs into
word - the latter will get rich text if it requests it, while the former is
just going to request plain text and get it. When copying text or images or
HTML out of typical apps, the clipboard actually ends up having 6 or more
different formats in it that all represent the same source content.

The 'generate on demand' means that it's theoretically possible to sync
clipboard operations over the network transparently for stuff like Synergy,
which is pretty cool - no need to copy that big bitmap over unless software on
the other machine actually asks for it. I had some custom clipboard sync
software I wrote that did this automatically (with a progress indicator for
big data like desktop screenshots) in a couple thousand lines of C# and it was
pretty satisfying to use.

~~~
tialaramex
This is how X11's modern clipboard APIs (CLIPBOARD, PRIMARY and so on) are
defined as well, I assume that Apple's approach is similar.

If I had to guess I'd assume either X11 invented it, or a research lab
prototype had it and X11 copied that then was copied by every modern OS

------
crazygringo
Seriously... I want to know the business/legal logic behind adding copyright
messages to the clipboard when copying. This has happened for a long time with
news sites, Apple Books, etc.

 _No user ever_ has _ever_ wanted that.

So what lawyers, where, ever demanded it, and why? Short snippets fall under
fair use _anyways_... and even if it didn't such a message doesn't prevent
anything (you just delete it after pasting)... and it you were oblivious to
how copyrights worked before, this isn't going to teach you.

So it's UX annoyance but _why?_ Not only does it _not_ provide an obvious
legal benefit to any party, I don't even see how it's legally covering
anyone's ass? Like, I know how under trademark law companies have to warn
people against using their trademark generically or else they can lose it --
so as dumb as it is to get an e-mail from Adobe asking you not to use
"Photoshop" as a verb in your press release, I get it. But copyright... _doesn
't work like that._

So how/why did this become a thing? I just don't understand the legal
rationale here.

~~~
otterley
Attorney here! (Not legal advice; consult a licensed attorney in your
jurisdiction.)

I am skeptical that this is a copyright issue that raised an attorney's
attention. It's far more likely IMO that this was a contractual obligation
imposed by the publisher.

I have no insider knowledge as to whether this is actually true, but it's
quite probable that in exchange for allowing Apple Books to republish their
content, the publisher required Apple to append this attribution when copying
content into the clipboard. In theory, preserving such an attribution might
cause more copies to be sold.

Also, contrary to your assertion, not every short snippet qualifies for a Fair
Use defense; there's a four-factor test that courts apply, and the length is
just one of those factors. But again, I think this less to do with copyright
and more to do with a business arrangement.

~~~
pvg
_I have no insider knowledge_

I don't either, with the added bonus of a complete lack of legal training but
this clipboard thing has been a part of commercial e-reader apps for so long,
if your (very plausible-sounding) theory is right, it's been boilerplate in
such contracts for many years.

------
brigandish
This isn't just the web, there's a fundamental leakiness to the Mac's
clipboard. I was horrified to realise that apps were being alerted to what was
on the clipboard when I copied a a public key from some website and MacGPG (or
whichever GPG app it was, they change) popped its head up and told me
(something like) "Hi, you've copied a public key, would you like to save it in
your keyring?"

Does this mean that any currently running app (or maybe not even currently
running, perhaps there's an event system) can see my clipboard?

My feeling about this is unprintable.

I started planning a clipboard app that doesn't allow this but I'm busy and
I'd prefer this wasn't something I need to fix in the first place.

~~~
ma2rten
I believe that the clipboard on windows and in x-server work the same way.
Programs can also read most files including files that contain private keys.

~~~
brigandish
I really care about security and lament that most people don't, but maybe
they've the right idea and I'm just wasting my time. There are simply too many
holes to plug :/

~~~
mattkrause
How do you want the clipboard to work then?

To my mind, the whole point is to provide a way to move information within and
between applications.

~~~
dredmorbius
Here's a stab at defining a function:

The clipboard should act _at an only at user direction_ to copy content from
one application or context to another.

The clipboard should not, nor should applications be able to, alter the copied
content from the visibly-selected content.

Applications, _other than when clearly and unambiguously directed by the user_
be able to access or read clipboard contents.

I'd suggest additionally that it should be possible to examine _and edit_
within the clipboard context itself what was copied.

This creates a few obvious issues, one of which is that commandline and
programmatic tools for interacting with the clipboard ... won't function as
transparently as they do now. A fact which would affect me directly as I make
heavy use of these (xclip in Linux, pbcopy / pbpaste in MacOS, termux-
clipboard-set and termux-clipboard-get in Termux/Android). I think I'd be
reasonably comfortable with a confirmation dialog appearing in such cases, or
having those applications specifically exempted (convenient, though some
risk).

The problem of programmatic interfaces to the clipboard is another matter, and
those are ... probably a complex issue.

Note that when working _entirely_ within the shell, the issue largely
disappears as the inter-process commmunications method is largely pipelines,
files, or the shell environment (variables) themselves. With some exceptions,
such as gpm(8) (a cut-and-paste utility and mouse server for virtual consols,
in Linux).

Though there's also behaviour of the X11/Xorg or Wayland clipboards.

~~~
alkonaut
> The clipboard should not, nor should applications be able to, alter the
> copied content from the visibly-selected content.

This might feel intuitively right, but it severly limits the usefulness of the
clipboard.

 _It then becomes a basic plain text clipboard_

Try opening an rich text editor (e.g.
[https://quilljs.com/playground/](https://quilljs.com/playground/)) and
selecting two words of which one is bold. Hit Ctrl+C. What is now on the
clipboard? What happens when you paste? You have your formatting preserved.
The editor has intercepted the copy command and stored data _only it knows how
to create and parse_. The same would happen in a diagram editor (a selected
shape would perhaps be stored as some json representation), or an image
editor.

The problem is that the clipboard as an established concept already means
"area where programs write their custom formatted data and where any app can
read the same data upon paste".

Restricting it might be a good idea in some cases, but it's the user
expectation so it's what apps (including browsers) need to do as the default.
This unfortunately means that abusing it as in the article will be possible.
There is no way for the browser to know whether the changed content was
formatting tags (good) or trashing the selection by adding a copyright (bad).

~~~
dredmorbius
If you want to pass rich text or spreadsheet cell formulae, _display those
before selecting_. Which puts the onus on the application to provide that
functionality.

That preserves the functionality, respects the "copy visibly-selected content"
directive, _and_ makes clear just what is being saved to the clipboard, making
sneak attacks more difficult.

Argument that the clipboard behaves in a way _that is demonstrably prone to
malicious attack_ is simply argument from tradition. Yes, that's how things
have been done. We're discovering that how things have been done leads to
strongly negative consequences.

~~~
alkonaut
Not sure I follow, how should the argument display the rich text
(markup/formatting instructions) before the selection?

The displayed/selected content might be

Foo _Bar_

but the content I want on the clipboard could be

Foo <i>Bar</i>

but I never want to see the markup, only the formatted text. I don’t want to
make a two step function where I need to reveal a textual description of the
content and select that. The markup might be a base64 encoded piece of binary
gibberish in the case of a visual diagram for example.

~~~
dredmorbius
That would be unsupported functionality.

You cannot _both_ have transparent copy capability _and_ copy hidden content
without revealing it.

Copying visual content would be subject to different requirements and
limitations. But for text: what you see is what you get. If you're copying
glyphs alone, those are what are copied. If you want formatting, you'll need
to have the source application reveal that.

~~~
alkonaut
It could be an option that is revealed after a warning. "This page wants to
use the javascript 'copy' event to place transformed data on the clipboard. If
you accept it would place [data shown] on the clipboard, otherwise it would
place [raw text] on the clipboard". What do you want to do? copy text? copy
data? [ ]remember my choice for this site.

Here, data shown would probably be some info about the data rather than the
data itself. It could be a 2mb base64 bitmap...

However, perhaps a better alternative would be to offer both "copy text" and
"copy" where the former just copies selected glyphs as plaintext while copy
fires the js event allowing the transform.

The important thing to remember is that webpages in 2020 must work like users
expect desktop applications to work, and interact with desktop applications
(e.g. copy rich content from webpage to desktop must be a default enabled
feature or the user will consider the browser broken). For this reason, I
don't think it's a viable solution to disable the js event by default (i.e. to
hook Ctrl+C to the "copy text" function).

~~~
dredmorbius
How would you institute that _in the clipboard logic_ and independently of the
app?

Because we're no longer operating in a world in which apps or processes are
trusted or trustable. Maybe the ones you write, maybe if you're really lucky
the ones that come with your fully-vetted Linux distro.

But not npm installs, not proprietary binaries, not website logic, and most
especially not the crap that's distributed on mobile app stores.

Your OS, you've got to trust. Which means that the logic's in the clipboard.

And how can the clipboard know that the application is attempting to change
contents such that the clipboard won't receive what it is that you see?

That's a key reason I see this as something that 1) has to be in the clipboard
logic and 2) has to exclude applications entirely from the copy process. The
clipboard should be acting on, say, the graphics render layer directly,
outside the application's scope.

~~~
alkonaut
The clipboard can’t tell whether the content is “right” nor can the copying be
done by the OS/clipboard itself.

In general the application is the only thing that knows what is selected (e.g
objects in a cad program) and the OS has no idea of how to serialize these
into the clipboard.

Even a text editor has to tell the OS what is selected and the OS can only
trust the app to tell the truth.

The only way to “verify it” is to show the copied content to the user (e.g in
a notification after the copy). Obviously for anything but plaintext this
verification doesn’t help (I can’t tell serialized cad objects from something
else - it’s just gibberish). I can however verify that it’s not a script that
will erase all my files when pasted into a shell (btw executing on paste is s
a horrible behavior by a shell. Pasted data must be treated as untrusted and
verified before acted on. Immediate shell execution breaks that).

~~~
dredmorbius
This is getting beyond my paygrade, though it in part depends on the OS
dispaly system.

There are some concepts -- and I very barely grasp this -- such as Display
Postscript, not in present use AFAIU, which might offer such capabilities
within the windowing system.

That is, with DPS the display itself would have awareness of both the
underlying text _and_ the formatting directives.

Whether that's even remotely similar to existing graphical systems, I've no
idea.

See:
[https://en.wikipedia.org/wiki/Display_PostScript](https://en.wikipedia.org/wiki/Display_PostScript)

~~~
alkonaut
In the most general case (and more commonly than it ever was) each app is just
a rectangular area where it renders using gpu hardware with. This used to be
how games rendered but now even shells and text editors are getting there. If
one has to manage this case too then basically the only places one can copy
from are in the compositor (images ie screenshots) or from apps. Even when
text drawing is passed through the OS (or platform libs e.g GDI on windows)
it’s difficult to imagine APIs where the OS would know what is “selected”, ie
what should be passed to the clipboard.

------
prestemon
Most importantly, [https://emdash.fan/](https://emdash.fan/) is the best
emdash site on the internet.

~~~
tkgally
My go-to site for copying special symbols is Wikipedia, which is, of course,
well-behaved:

Dashes
[https://en.wikipedia.org/wiki/Dash](https://en.wikipedia.org/wiki/Dash)

Diacritics
[https://en.wikipedia.org/wiki/Diacritic](https://en.wikipedia.org/wiki/Diacritic)

Precomposed Latin characters
[https://en.wikipedia.org/wiki/List_of_precomposed_Latin_char...](https://en.wikipedia.org/wiki/List_of_precomposed_Latin_characters_in_Unicode)

Currency symbols
[https://en.wikipedia.org/wiki/Currency_symbol](https://en.wikipedia.org/wiki/Currency_symbol)

Japanese typographic symbols
[https://en.wikipedia.org/wiki/List_of_Japanese_typographic_s...](https://en.wikipedia.org/wiki/List_of_Japanese_typographic_symbols)

etc.

~~~
amanzi
MS Word will autocorrect two hyphens into either an en dash or an em dash
based on what it believes you were trying to type.

So this: "em--dash" becomes this: "em—dash" while this: "en -- dash" becomes
this: "en – dash"

~~~
joegahona
En dashes are for ranges and sometimes for compound modifiers, like "billiard-
ball–size hail" or "New York City–based attorney." Not sure who advised MS
Word to turn two dashes into an en dash, ever, but it's not correct. Whether
an em dash has spaces around it is a matter of style.

~~~
amanzi
Word will only change it if you've used two hyphens, it won't autocorrect the
examples you have.

------
DavidVoid
On a related note, I find it interesting how modern US-ANSI layout keyboards
(even the International version [1]) still has such a limited set of
characters.

We have ¼, ½, and ¾, but not en (–) and em (—) dashes; and I get that (') and
(") are leftovers from typewriters and ASCII, but wouldn't it be nice to have
proper 6-9 (‘…’) and 66-99 (“…”) quotation marks?

Then again, you often see Europeans online misusing acute (´) and grave ( `)
accents as apostrophes (writing don´t or don`t, instead of don't or don’t). So
perhaps the availability of more similar looking keys would just lead to even
more misuse?

[1]: [https://upload.wikimedia.org/wikipedia/commons/2/22/KB_US-
In...](https://upload.wikimedia.org/wikipedia/commons/2/22/KB_US-
International.svg)

~~~
JdeBP
See
[https://news.ycombinator.com/item?id=22357897](https://news.ycombinator.com/item?id=22357897)
.

------
adtac
I chuckled when I saw the copyright. What exactly are they copyrighting? Lorem
ipsum? The bloody emdash itself?

Even I exercised more caution when I was 12 and learning HTML, arbitrarily
applying copyright to things I didn't own.

------
userbinator
IE (but not Edge, not surprisingly...) actually has a built-in feature which
was probably specifically designed to target such things:

[https://i.stack.imgur.com/855az.png](https://i.stack.imgur.com/855az.png)

Selecting "prompt" will result in this:

[https://i.stack.imgur.com/jvDUh.png](https://i.stack.imgur.com/jvDUh.png)

I set it to Prompt for trusted sites, and Disabled for all others.

~~~
alkonaut
Reading the clipboard is a security risk. Reading the clipboard without having
a user initiated paste seems like it shouldn't ever be possible (not suere
whether that is what the option does).

In this case, what I'd like as a user option is to be able to say "Don't copy
via app-specific code", i.e. "don't run the js event to let the page populate
the clipboard, instead inspect the selection and if there is a text selection
then copy that as plaintext, else copy nothing".

An alternative "prompt when the app tries to subscribe to the copy event"
could also work. If I select a shape in an online diagram editor and the app
says "can I please put my app-specific markup on the clipboard" then I say
yes, because I understand there is now way copy paste works otherwise. And on
a page when I have text selected, I can say no, and I get the default
plaintext copy.

Some apps have this as 2 different functions for a formatted copy/paste vs.
raw text copy paste. If browsers had a "copy text" context menu item that
copied the raw selection without invoking the js 'copy' event, that would work
too.

------
SanchoPanda
My favorite demo on this subject:

[https://github.com/dxa4481/Pastejacking](https://github.com/dxa4481/Pastejacking)

~~~
sigotirandolas
Actually my terminal emulator (xfce4-terminal) added a preview + confirmation
dialog a few months ago for copy-pastes including newlines (i.e. which will
execute a command instantly). I thought that it was to avoid accidental
mistakes, but it makes even more sense that it is to avoid this.

~~~
oefrha
> copy-pastes including newlines (i.e. which will execute a command instantly)

You should enable bracketed paste mode in your shell. IMO it’s much better UX
than a confirmation dialog.

[https://cirw.in/blog/bracketed-paste](https://cirw.in/blog/bracketed-paste)

~~~
sigotirandolas
Curiously, I never heard of this despite being a Linux user for quite a long
time. I'll give it a try.

------
jawns
There used to be a time when we could hope that browsers would put users first
and disable dark patterns like these.

Now, there are so many advertisers that use Tynt and related services to muck
with copy/paste that it wouldn't surprise me if the major browsers are
incentivized to leave this alone and let users suffer.

~~~
smt88
> _disable dark patterns like these_

Clipboard access isn't guaranteed to be a dark pattern, though. It's an API
that the browser supports.

I dislike clipboard access 99% of the time, but it's actually useful in a few
UIs (like copying keys in AWS). Should it really be up to the browser to
determine that an API is always a dark pattern?

Honestly, most of the worst dark patterns of the web are enabled by regular
<div>, <button>, and <img> elements -- which is to say, they're not something
the browser can unilaterally decide are "evil".

~~~
cortesoft
Is it really useful in AWS? Why is it needed?

~~~
smt88
In certain situations, you have to copy and paste a bunch of settings over and
over again. It saves you a few clicks and keyboard taps each time.

------
112
It's fine. This is just stupidity dressed as on-purpose bad UX. Yes, I
consider whoever makes that decision ("Yeah, we should totally make it not do
what the user wanted it to do!") utterly stupid, and a sad presence in the
gene pool.

There are file management apps, graphic design apps (figma), etc., that use
both the clipboard and the <c-c> / <c-p> binds to work. Neither blocking the
bind of <c-c> events, nor of the clipboard are going to happen.

We all have different needs and different pains. Sure, around here, we care
about user experience, privacy, performance and optimizations, but let's not
forget that we're in a bubble. The regular less-powered users are just as
important as us, and their needs may outweight ours.

I wish there was truly open browser that was not crap, there isn't. I wish
better privacy controls were available out-of-the box. I wish there could be a
_feature matrix backed by a default profile_ so that I can only give access to
the clipboard / other APIs manually, but with a prompt on access attempt. I
wish so much.

If I don't like my job runner, or my window manager, or even my password
manager, I can go ahead and try with at least moderate success to make my own.
Browsers are made by large groups of competent (most of them) polyglots, that
work countless hours, willing to drill through the shit that has accumulated
over the years into what we call the web. I don't have what's required to make
my own browser.

~~~
zzo38computer
Your stuff is my opinions too. It is difficult. WWW is a mess. There are other
protocols and file formats which be used, which can sometimes be better
depending on what you are doing, such as IRC, NNTP, Gopher, Telnet, SSH, etc.
(And if that isn't good enough, you can make available something with multiple
interfaces, in case some users prefer the web interface and some don't like
it.)

------
TheRealDunkirk
There's a Safari extension called StopTheMadness that prevents this sort of
thing. I just tested it on this page, and it does indeed stop this particular
nonsense.

------
thought_alarm
I've been using a simple Javascript whitelist/blocker for the last 4 years or
so (a dead-simple Safari content blocker for iOS and Mac I wrote myself; syncs
over iCloud just to give me something to do) and I honestly don't know how
anyone can stand the wide-open web without something similar.

Using the web with free Javascript privileges is an utterly appalling
experience. I can't stand it for more than 5 seconds.

~~~
codazoda
I recently switched back to Chrome on mobile because I NEED the ability to
blacklist JavaScript from abusive sites. Hacker News links, in particular, are
infuriating without it.

I haven't found a way to do this in any of the Firefox versions available for
Android.

My block list is mostly well known news sites.

~~~
SanchoPanda
Ublock origin works on mobile, and you can reuse your settings from desktop.

~~~
sterwill
uBlock Origin even works on Firefox Preview Nightly, which I'm really loving.
Way faster than normal Firefox on my old Nexus 6. Makes the phone feel several
years younger.

------
hoten
I had the exact same reaction to this site a few days ago.

[https://twitter.com/cjamcl/status/1228501692682924032](https://twitter.com/cjamcl/status/1228501692682924032)

------
bmn__
Related:

[http://kb.mozillazine.org/Granting_JavaScript_access_to_the_...](http://kb.mozillazine.org/Granting_JavaScript_access_to_the_clipboard)

[https://addons.mozilla.org/firefox/addon/don-t-fuck-with-
pas...](https://addons.mozilla.org/firefox/addon/don-t-fuck-with-paste/)

------
nomadrat
I used to work for a big ad-tech company(the company is sold and closed now).
I was a guy who developed a tool with this functionality. As a publisher, you
can add a text with a link(plus tracking code) to every copied peace of text
from your webpage. Something like: "Read more at: [https://example.com/my-
article/#<tracking_code>"](https://example.com/my-article/#<tracking_code>")

It's not about copyright. As a website owner, you can disable this behavior,
but by default, it was enabled. The main purpose of this functionality was to
track shares(for example if you copy text and send it to your friend in
skype). As i remember it was one of the most popular & important features in
the whole toolkit.

In a nutshell, it's about 200 lines of battle-tested javascript-code that
worked perfectly fine in almost any browser(dunno about now it was around 3
years ago).

Personally, i hate this behavior.

------
ernie24
Credit where credit's due, the mentioned website (The Punctuation Guide) works
very well with JS disabled, and the problem with text copying is gone. I use
[https://github.com/meetDeveloper/Quick-JS-
Switcher](https://github.com/meetDeveloper/Quick-JS-Switcher)

------
slimsag
Really, the web just gets more and more vile towards users.

Sure, highly technical folk are capable of working around this all -- but the
vast majority of people do not have a browser that is _working for them_:

\- You have little to no control over what content you are seeing. Instead, it
is chosen for you.

\- A large number of videos (not even including movies and shows) are
geographically blocked. You cannot access them.

\- Developers are actively trying to prevent: Saving images[1][2][3],
selecting text[4][5], browsing on a mobile phone[6][7], and a whole slew of
other normal user actions I don't care to cite: preventing users from going
back, manipulating their browser history, asking for notification and
geolocation permissions, displaying full-screen modals that block content
access, scroll-jacking, click-jacking, and more.

But don't worry! It's not all doom and gloom, websites like Reddit, Instagram,
Facebook, banks, and more are heavily pushing their users away from the web to
mobile applications where you have ZERO choice.

And we're going to maintain this backwards-compatible stack of completely
volatile pieces of anti-patterns until that migration to "apps" is complete,
and you can no longer distinguish between the app on your phone monitoring
everything you do or the site running 5 different layers of VMs and doing the
same -- albeit a bit slower.

[1]
[https://security.stackexchange.com/questions/122922/discoura...](https://security.stackexchange.com/questions/122922/discouraging-
users-from-copying-images-off-a-website)

[2] [https://stackoverflow.com/questions/21110130/protect-
image-d...](https://stackoverflow.com/questions/21110130/protect-image-
download/48855148)

[3] [https://stackoverflow.com/questions/35897974/how-to-
prevent-...](https://stackoverflow.com/questions/35897974/how-to-prevent-
image-from-copying)

[4] [https://stackoverflow.com/questions/16805684/javascript-
disa...](https://stackoverflow.com/questions/16805684/javascript-disable-text-
select)

[5] [https://stackoverflow.com/questions/8365272/disable-
copying-...](https://stackoverflow.com/questions/8365272/disable-copying-on-a-
website)

[6] [https://stackoverflow.com/questions/10177456/how-to-
disable-...](https://stackoverflow.com/questions/10177456/how-to-disable-
access-to-website-for-mobile)

[7] [https://stackoverflow.com/questions/22618724/how-to-
disable-...](https://stackoverflow.com/questions/22618724/how-to-disable-my-
website-from-being-viewed-on-mobile-devices)

~~~
wtallis
I think browsers need to implement options to block most of the bad behaviors
you describe, and bundle it all up into a "this site is an app" permission
that is off by default. Pages that are fundamentally just documents dressed up
with fancy navigation features don't need all those anti-features and it's the
browser's duty to spare the user the annoyance, but Google Docs does need most
of those APIs.

------
superkuh
You're giving sites permission to do this when you browse the web with browser
that automatically executes whatever code it is sent. They're not forcing you,
you're going there and you're asking for it and doing it yourself.

There's an easy solution. Stop. Don't run JS by default.

~~~
harikb
OP is simply asking for a compromise, a better solution that yours. Instead of
avoiding JS altogether, don’t give it access to things it should never have
access / no business mucking around

~~~
TeMPOraL
There's a tension here, though. Having access to things like this is the whole
point of having JS in the first place. The web is just full of assholes, so
you experience the abuse as often - or even more often - than the proper use
of JS.

Not sure how to approach it. JS whitelist is a stopgap solution, but not a
particularly convenient one, and it doesn't always work.

------
timzaman
The author sadly didn't touch on e.g. zero-width spaces
([https://en.m.wikipedia.org/wiki/Zero-
width_space](https://en.m.wikipedia.org/wiki/Zero-width_space)) to fingerprint
anything copy pasted.

------
pgt
Upvoted for the emdash (—) shortcut: Shift+Option+Minus

------
dawnerd
I had to implement an in-house version of this way back on eHow before it was
pretty easy. Cross browser issues made it pretty tricky - which is probably
why a couple companies that just did this spawned from it.

It's all so silly and doesn't increase site visits in any meaningful way.

Sidenote: I'm glad javascript in browsers is a lot more standard so you don't
have to get stupidly hacky.

------
the_d00d
Just wait until they place an ad in your clipboard

~~~
TeMPOraL
This already is an ad. They're betting on you pasting what you copied straight
into a communicator.

------
onion-soup
What's with ultra-grey font colors? It's not 2010 anymore, give your text some
contrast ffs, you are killing my eyes

~~~
otras
Sorry about that. I had been using some default styles that came with the Hugo
theme I'm using, but I absolutely see what you mean. Updated text throughout
the site to have better contrast. Hope that helps!

~~~
onion-soup
Thanks!

------
zzo38computer
I mostly do not enable document scripts. But, does any browser have a setting
to disable the ability for document scripts to affect selections? (They also
mention smooth scrolling. I don't like that either, nor replacing standard
widgets with their own or adding additional worthless animations.)

------
flarg
There's an extension that stops this and it's called Don't F __k with Paste

------
abrax3141
I wish clipboards worked like emacs yank buffers. Then you wouldn't have this
problem.

------
mopsi
It's not just an annoyance. Think of copying shell commands...

------
hoangbkit
Awesome post! many times i copied some stuff and they appended links and
advertising contents into it ^^ so annoying, especially in those listing sites
like quotes or similar.

------
kebman
Hindering someone from grabbing an emdash with copy-scripts is pretty petty.
Edit: Anyway, reminds me when I used to troll my buddies with the ANSI.SYS
hack.

------
mangatmodi
There is a special place in my hatebook for websites which disable copy, this
website just earned the top place

------
generalpass
Firefox makes life easier:

    
    
      Ctrl+Alt+R
    

Also, uMatrix with js disabled by default works well, too.

------
eitland
This is bad UX if nothing else.

For an example of what I think wad good UX: In Windows, it used to be that
pasting into a text editor would give you the original text while pasting into
OneNote would magically give you the text with a link back to the source
below.

I used to love that and for what I know it still works, I just don't use
Windows and OneNote that much anymore.

------
thanhkitt
“ghci> putStrLn (pretty 10 value)”

    
    
        Excerpt From: Bryan O’Sullivan,

------
hartator
Also special place in hell for pages that disables paste on their inputs.

------
brobot182
Is there a chrome plugin that prevents this?

~~~
analog31
In lieu of a plugin, I always paste into a plain text editor and copy the
stuff I _actually_ want from there. I've always done this, not because of
dark-patterny stuff, but just fonts and having bad aim with my cursor when I
copy.

