Closed Bug 1777448 Opened 2 years ago Closed 4 months ago

Avoid showing the "Paste" button for `navigator.clipboard.read*()` when the user's privacy isn't affected

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, enhancement)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox122 --- fixed

People

(Reporter: mbrodesser-Igalia, Assigned: edgar)

References

(Blocks 2 open bugs)

Details

Attachments

(2 files, 6 obsolete files)

Bug 1777448 - Part 1: Don't not show paste contextmenu for background tab; r=nika
48 bytes, text/x-phabricator-request
Details | Review
Bug 1777448 - Part 2: Suppress the paste context menu when the clipboard data originates from a same-origin page; r?nika
48 bytes, text/x-phabricator-request
Details | Review

Includes not showing the "Paste" button when copy-pasting within the same document/origin; see the "Security and Privacy" section of https://webkit.org/blog/10855/.

Depends on: 1773707
Blocks: 1770358
No longer depends on: 1770358

Currently, we show the paste contextmenu to grand user permission every time when the page tries to read clipboard data programmatically via async clipboard API, but sometimes it might be annoyed if the user only copy/paste data within the same origin, for example editing a Google Doc. Webkit has implemented two mechanisms to improve the user experience.

  • If the user is explicitly triggering a paste during the gesture (for instance, using a keyboard shortcut on macOS such as ⌘V or pasting using the “Paste” action on the callout bar on iOS), WebKit will allow the page to programmatically read the contents of the clipboard.
  • Programmatic clipboard access is also automatically granted in the case where the contents of the system clipboard were written by a page with the same security origin.

We would like to implement the similar behavior, too. i.e.

  • Allow the page to programmatically read clipboard in paste event handler.
  • Allow the page to programmatically read clipboard if the clipboard data is from the same origin. (data from external application will be treated as from different origin)

And here are some rough plan to implement the same-origin checks,

  • In Cocoa widget, there is a clipboard cache mechanism, we cache the nsITransferable that is written to system clipboard by gecko. And if the system clipboard isn't changed by other application, we return the data stored in cached nsITransferable for the subsequent clipboard access from gecko. I plan to build the same-origin checks on the top of it.
  • Apply other platforms to same clipboard cache mechanism which requires a refactoring on nsBaseClipboard (bug 1773707).
  • Storing the principle that trigger the system clipboard writing in nsITransferable::requestingOrigin,
  • When reading clipboard data programmatically,
    1. If there is no valid data in clipboard cache, show the paste contextmenu to grand user permission.
    2. Otherwise, check the principle stored in the cache with the requesting principle.
      2.1. if they are different origin, show the paste contextmenu to grand user permission.
      2.2. Otherwise, automatically grant the permission.
Blocks: 1809106
Assignee: nobody → echen
Depends on: 1852947

Displaying the paste context menu for background tabs can be surprising and
confusing for users, so we reject the request and don't allow it being associated
with existing pending request.

Depends on D190405

And don't allow new request being associated with existing pending request if
the requests are from different origin.

Depends on D190761

Depends on D190848

Attachment #9357683 - Attachment description: WIP: Bug 1777448 - Part 1: Handle clipboard contextmenu in parent process; → Bug 1777448 - Part 1: Handle clipboard contextmenu in parent process; r?nika!
Attachment #9357998 - Attachment description: WIP: Bug 1777448 - Part 2: Don't not show paste contextmenu for background tab; → Bug 1777448 - Part 2: Don't not show paste contextmenu for background tab; r=nika
Attachment #9358047 - Attachment description: WIP: Bug 1777448 - Part 3: Suppress the paste context menu when the clipboard data originates from a same-origin page; → Bug 1777448 - Part 3: Suppress the paste context menu when the clipboard data originates from a same-origin page; r?nika
Attachment #9358151 - Attachment description: WIP: Bug 1777448 - Part 4: Set requesting principal when copying is triggered by keyboard shortcut; → Bug 1777448 - Part 4: Set requesting principal when copying is triggered by keyboard shortcut; r?nika
Attachment #9358175 - Attachment description: WIP: Bug 1777448 - Part 5: Set requesting principal when copying image; → Bug 1777448 - Part 5: Set requesting principal when copying image; r?nika

This patch makes the clipboard context menu trigger from the parent process rather
than the content process. A chrome-only event, MozClipboardReadPaste, is dispatched
to the chrome document to initiate paste context menu. When the paste context
menu is either clicked or dismissed, the clipboard-contextmenu-* observer is
triggered.

The behavior of handling multiple requests should remain unchanged, new tests are
added to ensure that.

Depends on D182108

Displaying the paste context menu for background tabs can be surprising and
confusing for users, so we reject the request and don't allow it being associated
with existing pending request.

Depends on D192935

Attachment #9362398 - Attachment description: Bug 1777448 - Part 2: (ClipboardSecurityService) Don't not show paste contextmenu for background tab; r=nika → WIP: Bug 1777448 - Part 2: (ClipboardSecurityService) Don't not show paste contextmenu for background tab;

And don't allow new request being associated with existing pending request if
the requests are from different origin.

Depends on D192974

Attachment #9362328 - Attachment is obsolete: true
Attachment #9362398 - Attachment is obsolete: true
Attachment #9362811 - Attachment is obsolete: true
Attachment #9358175 - Attachment is obsolete: true
Attachment #9358151 - Attachment is obsolete: true
Depends on: 1866994

Comment on attachment 9357683 [details]
Bug 1777448 - Part 1: Handle clipboard contextmenu in parent process; r?nika!

Revision D190405 was moved to bug 1866994. Setting attachment 9357683 [details] to obsolete.

Attachment #9357683 - Attachment is obsolete: true
Attachment #9357998 - Attachment description: Bug 1777448 - Part 2: Don't not show paste contextmenu for background tab; r=nika → Bug 1777448 - Part 1: Don't not show paste contextmenu for background tab; r=nika
Attachment #9358047 - Attachment description: Bug 1777448 - Part 3: Suppress the paste context menu when the clipboard data originates from a same-origin page; r?nika → Bug 1777448 - Part 2: Suppress the paste context menu when the clipboard data originates from a same-origin page; r?nika
Pushed by echen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/32841cae9b3b
Part 1: Don't not show paste contextmenu for background tab; r=nika,hsivonen
https://hg.mozilla.org/integration/autoland/rev/6dee3dce64ad
Part 2: Suppress the paste context menu when the clipboard data originates from a same-origin page; r=nika
Regressions: 1868659

Backed out for causing bc failures in browser_navigator_clipboard_contextmenu_suppression.js

Flags: needinfo?(echen)
Pushed by echen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/28a38aeacd83
Part 1: Don't not show paste contextmenu for background tab; r=nika,hsivonen
https://hg.mozilla.org/integration/autoland/rev/bdca89fb71d5
Part 2: Suppress the paste context menu when the clipboard data originates from a same-origin page; r=nika
Flags: needinfo?(echen)
Regressions: 1868963

https://hg.mozilla.org/mozilla-central/rev/28a38aeacd83
https://hg.mozilla.org/mozilla-central/rev/bdca89fb71d5

Status: NEW → RESOLVED
Closed: 4 months ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Regressions: 1868703
See Also: → 1869868
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: