Open Bug 1192066 Opened 9 years ago Updated 2 years ago

Clear clipboard when using "Copy Password" in about:logins

Categories

(Firefox :: about:logins, enhancement, P3)

Product:
Firefox
Component:
about:logins
Type:
enhancement

Tracking

()

People

(Reporter: kjozwiak, Unassigned)

References

(Blocks 1 open bug)

Details

I think it would be a good idea if we cleared the clipboard after x amount of seconds when using the "Copy Password" feature via "Saved Passwords" under about:preferences#security. Most password managers, at least the ones I've used, have this feature built into them.

Currently if someone copies their password, it stays in the clipboard until something else is copied into it and replaces the password. I don't think this a huge issue as the password is already saved in the manager but I'm not sure how comfortable I'm with the password lingering around after it's been copied into the clipboard. Users might accidentally paste it into an IM message or something along those lines and could cause major problems if they're using the same password for a majority of websites and they just accidentally pasted it somewhere undesired.

Is this something we could possibly add into fx? (not sure how difficult or feasible it would be)
Blocks: 1118400
Whiteboard: [passwords:management]
Component: Password Manager → about:logins
Priority: -- → P3
Product: Toolkit → Firefox
Version: unspecified → Trunk
Type: defect → enhancement
Summary: clearing clipboard when using "Copy Password" under about:preferences#security → Clear clipboard when using "Copy Password" in about:logins

Mass removing [skyline] and [passwords:management] from about:logins bugs which are no longer useful.

Whiteboard: [passwords:management]

Has there been any update with this? Thinking about implementing this as my first contribution to Mozilla :P

Flags: needinfo?(sfoster)

(In reply to Nicholas Fason (he/him) from comment #4)

Has there been any update with this? Thinking about implementing this as my first contribution to Mozilla :P

There are no current plans to implement this. We would need to think through the requirements and user experience quite carefully.
For example,

  • What happens if the about:logins tab is closed, would we expect the timeout to still fire and clear the clipboard when the timer expires?
  • Should we show a notification when the clipboard is cleared? Perhaps only if it is cleared as a result of timing out, not when used.
  • The paste that uses the copied password could be in any window. Would we need to observe all pastes across all windows until the timer expired to know when to clear the clipboard?

If you want to explore this I would be happy to work with you on a prototype patch, but I think we would need a lot more clarity before we could ship this feature.

Flags: needinfo?(sfoster)

(In reply to Sam Foster [:sfoster] (he/him) from comment #5)

(In reply to Nicholas Fason (he/him) from comment #4)

Has there been any update with this? Thinking about implementing this as my first contribution to Mozilla :P

There are no current plans to implement this. We would need to think through the requirements and user experience quite carefully.
For example,

  • What happens if the about:logins tab is closed, would we expect the timeout to still fire and clear the clipboard when the timer expires?
  • Should we show a notification when the clipboard is cleared? Perhaps only if it is cleared as a result of timing out, not when used.
  • The paste that uses the copied password could be in any window. Would we need to observe all pastes across all windows until the timer expired to know when to clear the clipboard?

If you want to explore this I would be happy to work with you on a prototype patch, but I think we would need a lot more clarity before we could ship this feature.

Thank you so much for the reply and massive apologies for never going into this further. Been busy with a lot of life stuff.

I am still interested in contributing to Firefox and getting started here. Seems like a relatively easy thing to implement, but I agree, some forethought is needed.

On first-thought, I do think it should be disabled by default, and must be enabled by the user in the settings. My reasoning for this is that it could "jar" users if they suddenly don't have access to the password they just copied to their clipboard.

What happens if the about:logins tab is closed, would we expect the timeout to still fire and clear the clipboard when the timer expires?

Yes, I think it should be expected that this should still fire regardless of the tab status, although that might be difficult to implement. This is a first-contribution for me and I'm not 100% on how some things work internally for Firefox, if you're willing to explain a few things in regards to that then that's definitely something I see being necessary.

Should we show a notification when the clipboard is cleared? Perhaps only if it is cleared as a result of timing out, not when used.

I'm honestly not too sure on this one. Just taking inspiration from other password management applications such as Bitwarden, they do not give a notification when the clipboard is cleared, regardless of the circumstances (at least from my testing), and I kind of agree. It might be a little unnecessary, but might not be a bad idea.

The paste that uses the copied password could be in any window. Would we need to observe all pastes across all windows until the timer expired to know when to clear the clipboard?

The way I see it working, again from the perspective of someone who hasn't worked on this codebase hardly at all, is that there is a service or something running in the background (whatever the most efficient way) that begins a timer (for the specified amount of time as set in the preferences) and when it runs out it clears the clipboard. But, this timer can be interrupted if the clipboard is already overwritten with something before the timer finishes (aka the user copies new text), to prevent unwanted clipboard modification.

Not sure if there's a way to listen for events like key-presses or actions like "copying to clipboard" or something to that effect, but it would probably be best (in this scenario) to listen for that input, check if the clipboard is the same as the password, if not end the timer, if so keep the timer going and continue as normal.

Thanks for your willingness to work with me on this, if I'm going about this in the wrong way or have any suggestions for me please don't hesitate to reach out! I find this stuff fun and want to pursue this stuff so improvement is what I'm looking for here!

It's definitely a good idea to implement. Here are a few thoughts:

  1. We should enable it for everyone. Users should not be responsible of turning on everything themselves.
  2. It must be visible. Hidden features are never used. We can show a notification like OS popup with countdown timer. "Clearing copied value soon" or some better message can be used to make it clear what's going on.
  3. On Windows there is no way app can tell if data is pasted or not. Even with custom rendering, OS seems to call custom rendering immediately prior to any paste command from the user.
  4. On Windows OpenClipboard() may not work every time, we should be prepared for that.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.