Bug 1809106 Comment 18 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - From the spec it looks like "the permission is granted in secure contexts if you have transient activation".
  - What the the sentence _says_ is "you can use the API outside of secure contexts (i.e. in any context provided you have transient activation").
  - From the spec it also looks like the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). 
  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or some third case that cannot be ruled out by the current text: ("insecure contexts OK provided you have transient activation, secure context you don't need transient activation).

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says is a bit confused because it appears read permission was removed but it is still referenced.
       Anyhow I think it says "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec?
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - From the spec it looks like "the permission is granted in secure contexts (only) if you have transient activation".
  - What the the sentence _says_ is "you can use the API outside of secure contexts (i.e. in any context provided you have transient activation").
  - From the spec it also looks like the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). 
  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or some third case that cannot be ruled out by the current text: ("insecure contexts OK provided you have transient activation, secure context you don't need transient activation).

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says is a bit confused because it appears read permission was removed but it is still referenced.
       Anyhow I think it says "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec?
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - From the spec it looks like "the permission is granted in secure contexts (only) if you have transient activation".
  - What the the sentence _says_ is "you can use the API outside of secure contexts (i.e. in any context provided you have transient activation").
  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or some third case that cannot be ruled out by the current text: ("insecure contexts OK provided you have transient activation, secure context you don't need transient activation).

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

From the spec it also looks like the read permission has been removed (though it is still referenced) and the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). What's the story here for FF - is there a permission integration?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - The spec says "The permission is granted in secure contexts (only), and if you have transient activation", and the implication is that you can write if you have the permission.
  - What I don't understand is what the sentence means, and how that differs from what the spec says. 
    It looks like it is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - But not clear how you get that permission if not in a secure context and what form it has - a user prompt?
    - I _suspect_ that perhaps a prompt was originally expected to grant permission in any context, but now you just require secure context and transient activation?

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or  something else. 

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

From the spec it also looks like the read permission has been removed (though it is still referenced) and the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). What's the story here for FF - is there a permission integration?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - The spec says "The permission is granted in secure contexts (only), and if you have transient activation", and the implication is that you can write if you have the permission.
  - What I don't understand is what the sentence means, and how that differs from what the spec says. 
    It looks like it is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - But not clear how you get that permission if not in a secure context and what form it has - a user prompt?
    - I _suspect_ that perhaps a prompt was originally expected to be required to grant permission in insecure contexts. However now you just require secure context and transient activation and there are no prompts?

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or  something else?

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

From the spec it also looks like the read permission has been removed (though it is still referenced) and the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). What's the story here for FF - is there a permission integration?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - The spec says "The permission is granted in secure contexts (only), and if you have transient activation", and the implication is that you can write if you have the permission.
  - What I don't understand is what the sentence means, and how that differs from what the spec says. 
    It looks like it is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - But not clear how you get that permission if not in a secure context and what form it has - a user prompt?
    - I _suspect_ that perhaps a prompt was originally expected to be required to grant permission in insecure contexts. However now you just require secure context and transient activation and there are no prompts?

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or  something else?

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

From the spec it also looks like the read permission has been removed (though it is still referenced) and the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). What's the story here for FF?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - What I don't understand is what the sentence means, and how that differs from what the spec says. 

    - The spec seems to say "The feature is only available in secure contexts. The permission is granted if you have a gesture (transient activation)", and the implication is that you can write if you have the permission.

    It looks like our sentence is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - But not clear how you get that permission if not in a secure context and what form it has - a user prompt?
    - I _suspect_ that perhaps a prompt was originally expected to be required to grant permission in insecure contexts? However now you just require secure context and transient activation and there are no prompts?

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation") or the note ("any context provided you have transient activation), or  something else and how does it differ from what the spec says?

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

From the spec it also looks like the read permission has been removed (though it is still referenced) and the write permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). What's the story here for FF?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - What I don't understand is what the sentence means, and how that differs from what the spec says. 

    - The spec seems to say "The feature is only available in secure contexts. The permission is granted if you have a gesture (transient activation)", and the implication is that you can write if you have the permission.
      There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    It looks like our sentence is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - There is an implication that perhaps you can get the permission if not in a secure context, or that you don't need permission if you have transient activation - while the spec is more "transient activation gives you the permission you need".

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation"). If not, what is different to the spec. You can write outside of a secure context? 

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

The write docs have this statements:

> The `"clipboard-write"` permission of the [Permissions API](/en-US/docs/Web/API/Permissions_API), is granted automatically to pages when they are in the active tab.

- Is this "active tab" think true, and is it in the spec (can't see anything obvious, but I'd assume you'd get the permission anyway due to selecting the item to copy and getting transient activation)?
- From the spec it also looks like the writer permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). How does that change things?
- So again, I "think" you get this permission from transient activation. I suspect you might also need result of that paste prompt too if a cross-origin page you're copying from.

> To read from the clipboard, you must first have the `"clipboard-read"` permission.

- From the spec it also looks like the read permission has been removed (though it is still referenced).
- Does FF or anyone else use it?
- Permissions suck

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - What I don't understand is what the sentence means, and how that differs from what the spec says. 

    - The spec seems to say "The feature is only available in secure contexts. The permission is granted if you have a gesture (transient activation)", and the implication is that you can write if you have the permission.
      There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    It looks like our sentence is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - There is an implication that perhaps you can get the permission if not in a secure context, or that you don't need permission if you have transient activation - while the spec is more "transient activation gives you the permission you need".

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation"). If not, what is different to the spec. You can write outside of a secure context? 

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

The write docs have this statements:

> The `"clipboard-write"` permission of the [Permissions API](/en-US/docs/Web/API/Permissions_API), is granted automatically to pages when they are in the active tab.

- Is this "active tab" think true, and is it in the spec (can't see anything obvious, but I'd assume you'd get the permission anyway due to selecting the item to copy and getting transient activation)?
- From the spec it also looks like the writer permission [is intended to be removed](https://github.com/w3c/permissions/pull/246#issuecomment-863022451). How does that change things?
- So again, I "think" you get this permission from transient activation. I suspect you might also need result of that paste prompt too if a cross-origin page you're copying from.

> To read from the clipboard, you must first have the `"clipboard-read"` permission.

- From the spec it also looks like the read permission has been removed (though it is still referenced).
- Does FF or anyone else use it?
- Permissions suck

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - What I don't understand is what the sentence means, and how that differs from what the spec says. 

    - The spec seems to say "The feature is only available in secure contexts. The permission is granted if you have a gesture (transient activation)", and the implication is that you can write if you have the permission.
      There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    It looks like our sentence is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - There is an implication that perhaps you can get the permission if not in a secure context, or that you don't need permission if you have transient activation - while the spec is more "transient activation gives you the permission you need".

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation"). If not, what is different to the spec. You can write outside of a secure context? 

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).

  - What I don't understand is what the sentence means, and how that differs from what the spec says. 

    - The spec seems to say "The feature is only available in secure contexts. The permission is granted if you have a gesture (transient activation)", and the implication is that you can write if you have the permission.
      There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    It looks like our sentence is saying that:
    - you somehow need permission granted to write to the clipboard. 
    - However if you have transient activation and a secure context you can write without that permission
    - There is an implication that perhaps you can get the permission if not in a secure context, or that you don't need permission if you have transient activation - while the spec is more "transient activation gives you the permission you need".

  - So what's the actual restriction for firefox? Is it what the spec says ("secure context AND transient activation"). If not, what is different to the spec. You can write outside of a secure context? 

     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Is there a specification for browser extensions? 
    - What I'm asking here is whether this is specification behaviour or something that might be different on every browser. If it is specification behaviour and FF matches it we should remove the note and add this information to the content page. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation, and that the [script is running due to that activation and trying to paste into an element](https://w3c.github.io/clipboard-apis/#check-clipboard-read-permission).
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - Is this spec behaviour? I.e. is that Paste prompt and cross origin thing in the spec? (can't see it)
    - Same comment for the browser extensions as for writing - is there a spec for this, and is it expected that your extension can write anywhere if it has that permission granted?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, so and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - The permission is granted if you have a gesture (transient activation)"
       - There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    - So I think that we're saying is that that 
      - outside of browser extensions we largely match the spec - require secure context and browser extensions. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission.
        - if you have write permission you can write without transient activation. 
        - Do you have the secure context restriction as well - if yes normally, does it still exist if you have the write permission.
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, so and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - The permission is granted if you have a gesture (transient activation)"
       - There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    - So I think that we're saying is that that 
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission.
        - if you have write permission you can write without transient activation. 
        - Do you have the secure context restriction as well - if yes normally, does it still exist if you have the write permission.
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are "proposed" spec changes around removal of permissions that seem to have been implemented in some browsers, so we're in the position where we might have off-spec behaviour that is defacto standard. 

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - The permission is granted if you have a gesture (transient activation)"
       - There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    - So I think that we're saying is that that 
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission.
        - if you have write permission you can write without transient activation. 
        - Do you have the secure context restriction as well - if yes normally, does it still exist if you have the write permission.
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions or to say they don't need a "gesture", which I take to mean transient activation.

    - So I think that we're saying is that that 
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission.
        - if you have write permission you can write without transient activation. 
        - Do you have the secure context restriction as well - if yes normally, does it still exist if you have the write permission.
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions if desired. 
       - There is some messy leftover info around permissions that hasn't been removed that implies you might not need transient activation - I plan to ignore that

    - So I think that we're saying is that for writing:
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission (?)
        - if you have write permission you can write without transient activation (?) 
        - Do you have the secure context restriction as well? If yes, is this restriction ignored if you have the extension write permission?
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions if desired. 
       - There is some messy leftover info around permissions that hasn't been removed that implies you might not need transient activation - I plan to ignore that

    - So I think that we're saying is that for writing:
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission (?)
        - if extension has write permission you can write without transient activation (?) 
        - Are browser extensions restricted to working in secure contexts? If so, does this restriction get ignored if it has the extension write permission?
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. Essentially:
    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation.
    - I "think" the FF behaviour is "Reading works if you are in a secure context AND you have transient activation. You also get a Paste-prompt if pasting into a cross-origin page". 
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing that you'd check the context for)
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions if desired. 
       - There is some messy leftover info around permissions that hasn't been removed that implies you might not need transient activation - I plan to ignore that

    - So I think that we're saying is that for writing:
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation if don't have write permission (?)
        - if extension has write permission you can write without transient activation (?) 
        - Are browser extensions restricted to working in secure contexts? If so, does this restriction get ignored if it has the extension write permission?
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. 

    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation."
    - I "think" the FF matches this BUT you additionally get a Paste-prompt if pasting into a cross-origin page" (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing to clipboard that you'd check the context for)
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context 
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions if desired. 
       - There is some messy leftover info around permissions that hasn't been removed that implies you might not need transient activation - I plan to ignore that

    - So I think that we're saying is that for writing:
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation and secure context if don't have write permission (?)
        - if extension has write permission you can write without transient activation or secure context (?)
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. I think the compatibility description should match `write()`, whatever that ends up being. The user callback stuff is same - it "means" transient activation.

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. 

    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation."
    - I "think" the FF matches this BUT you additionally get a Paste-prompt if pasting into a cross-origin page" (which seems odd BTW, since you're reading from the clipboard, and I would have thought it would be writing to clipboard that you'd check the context for)
      - Is that correct? If not, in what way?
      - So here all we need to mention is the paste prompt when reading text from a cross origin context 
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.
Thanks @edgar. Helpful, except now I realise that I wasn't precise enough in my questions

In browser compatibility we should only document things that are off-spec and anything that is in spec and web app developer we should mention in the docs. I worry that that these notes are _expected_ behaviour when compared to the spec, so should not be mentioned in BCD at all. In addition there are spec changes around removal of permissions that seem to have been been done in a partial way - making it hard to read.

Can you confirm specifically:

- `Clipboard.write()`
  -  Currently following our discussion the note says:

     > Writing to the clipboard is available without permission in secure contexts and browser extensions, but only when the contexts have [transient activation](https://developer.mozilla.org/docs/Web/Security/User_activation#transient_activation).
     > Browser extensions with the `"clipboardWrite"` permission can write to the clipboard at any time.

    - Permissions API is removed(ish) from the spec, and what the spec seems to say is:
       - The feature is only available in secure contexts. 
       - Requires a gesture (transient activation)
       - There also seems to be option for the user agent to add more restrictions if desired. 
       - There is some messy leftover info around permissions that hasn't been removed that implies you might not need transient activation - I plan to ignore that

    - So I think that we're saying is that for writing:
      - outside of browser extensions we largely match the spec - require secure context and transient activation. That means we don't need to mention it.
      - Browser extensions
        - require transient activation and secure context if don't have write permission (?)
        - if extension has write permission you can write without transient activation or secure context (?)
        - Is there a spec for browser extensions, and is the behaviour matching that spec or different? If it is on spec we don't need to mention at all. If it is off spec then we do. 

- `Clipboard.writeText()`
  - You said _Yes, nothing changes for Clipboard.writeText()_. Same questions as above really. Do you mean that the user callback stuff is is not the same as transient activation so the current description stands? (and we're off spec for this method?).

- `read()` and `readText`
  - I assume that whatever the notes say, it should be the same for both?
  - The spec indicates `read()` and takes some options `Promise<ClipboardItems> read(optional ClipboardUnsanitizedFormats formats = {});` but the FF IDL does not. Do we know if any browsers implement this `formats` option, and does Firefox plan to do so?
  - Same questions as before. 

    - Spec says (I think):  "Reading works if you are in a secure context AND you have transient activation."
    - I "think" the FF matches this BUT you additionally get a Paste-prompt if pasting content that originates **from** a cross-origin page". Is that right?
      - So here all we need to mention is the paste prompt when reading text that was previously pasted from a cross origin context??
    - Same comment for the browser extensions as for the write methods - is there a spec for this, and is it expected that your extension can read anywhere if it has that permission granted/require secure context/require transient activation?

Sorry to be painful, but it could be we need no notes, or we need to be more precise.

Back to Bug 1809106 Comment 18