document.execCommand shouldn't execute outside event handlers
Categories
(Core :: DOM: Editor, defect)
Tracking
()
People
(Reporter: jobbautista9, Unassigned)
References
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
- Go to Discord.
- Enable Developer Mode in the Appearance section of your settings.
- Copy an ID (could be from a server, user, or channel)
Actual results:
The ID gets copied into the clipboard.
Expected results:
It shouldn't copy the ID to the clipboard, as the document.execCommand wasn't called inside a short running user-generated event handler. The success of executing document.execCommand is not a feature, but a security and privacy bug, since it opens up the browser to malicious scripts that can mess up your clipboard, and even monitor and steal its contents. I usually copy my randomly-generated long passwords into my clipboard, since I don't want to use a password manager. I don't want a script to sniff my password.
It should be Discord and other websites fixing this issue, not Firefox.
Note that SeaMonkey and the latest version of Epiphany (which is Webkit) doesn't allow document.execCommand outside of an event handler.
Reporter | ||
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Needs to investigate whether Chrome how this works though, edgar, do you have some suggestions as a developer of user activation?
Comment 2•2 years ago
|
||
The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.
Description
•