Open Bug 1701132 Opened 3 years ago Updated 2 years ago

document.execCommand shouldn't execute outside event handlers

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Version:
78 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox86 --- affected
firefox87 --- affected
firefox88 --- affected
firefox89 --- affected

People

(Reporter: jobbautista9, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

  1. Go to Discord.
  2. Enable Developer Mode in the Appearance section of your settings.
  3. Copy an ID (could be from a server, user, or channel)

Actual results:

The ID gets copied into the clipboard.

Expected results:

It shouldn't copy the ID to the clipboard, as the document.execCommand wasn't called inside a short running user-generated event handler. The success of executing document.execCommand is not a feature, but a security and privacy bug, since it opens up the browser to malicious scripts that can mess up your clipboard, and even monitor and steal its contents. I usually copy my randomly-generated long passwords into my clipboard, since I don't want to use a password manager. I don't want a script to sniff my password.

It should be Discord and other websites fixing this issue, not Firefox.

Note that SeaMonkey and the latest version of Epiphany (which is Webkit) doesn't allow document.execCommand outside of an event handler.

Needs to investigate whether Chrome how this works though, edgar, do you have some suggestions as a developer of user activation?

Severity: -- → S3
See Also: → 1012662

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.