Closed Bug 1605928 Opened 5 years ago Closed 5 years ago

navigator.clipboard.writeText() does not work in asynchronous environments

Categories

(Core :: DOM: Events, enhancement)

Product:
Core
Component:
DOM: Events
Version:
71 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1597857

People

(Reporter: backeschwein, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Steps to reproduce:

Dear colleagues,

the navigator.clipboard.writeText() requires a direct user gesture such as a user triggered click event. Therefore, it cannot (as far as I know) work in asynchronous environments.

This is not really a bug since I guess this is - for now - intended behaviour. However, this is not less problematic and makes the function unusable for adequate purposes.

Example:

A online password manager won't show a page to the user which hiddenly contains all passwords in plaintext. The users session may expire at a later stage, so only details such as the name/URL of the platform, the username and the email address may be revealed to the source code once the page is loaded.

That means, once the user clicks on the COPY button for the password, another request is invoked. This is typically an asynchronous request (AJAX). But the current implementation requires a synchronous request; it does not realize that the user triggered click event is associated with the callback which is called once the AJAX request has finished.

One can evade this behaviour by just making the request synchronous, but that is not considered as good practise. Firefox will show a warning when doing that.

Security:

The current behaviour may be due to security concerns. However, magically finding out if it was triggered by a user gesture may be not the right way to do that. Also, it can be easily bypassed binding a click event to the whole <body> which will make the function usable wherever the user clicked. So, the current solution is not effective.

On the other hand, only writing a text into the clipboard may be not a big issue in terms of security.

Solution:

The requirement for a user gesture should be removed as it is ineffective and makes problems. As far as I know, Firefox anyway only supports writing to, but not reading from the clipboard via the Clipboard interface.

Other Browsers:

Chromium does not require any user gesture.

Component: Untriaged → DOM: Events
Product: Firefox → Core
Depends on: 1597857

(In reply to backeschwein from comment #0)

That means, once the user clicks on the COPY button for the password, another request is invoked. This is typically an asynchronous request (AJAX). But the current implementation requires a synchronous request; it does not realize that the user-triggered click event is associated with the callback which is called once the AJAX request has finished.

After bug 1597857, the navigator.clipboard.writeText() call in the async callback will be considered as user generated if it happens within a certain time frame after the user-triggered event. I think it could cover most of the cases, so mark as a duplicated of bug 1605928. Feel free to reopen this or file a new if you found other issues. Thanks

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.