Closed Bug 1801880 Opened 2 years ago Closed 1 year ago

Copying password from Password Manager on MacOS does not set the right PasteboardType

Categories

(Core :: Widget: Cocoa, defect, P3)

Firefox 107
defect

Tracking

()

RESOLVED FIXED
118 Branch
Tracking Status
firefox118 --- fixed

People

(Reporter: github, Assigned: KrisWright)

Details

Attachments

(1 file)

Steps to reproduce:

1> Open Firefox on MacOS 13.0.1 (I suspect other versions are similarly impacted)
2> Click options, Passwords
3> Find a previously saved login&password combo.
4> Click the Copy button next to the password

Actual results:

Password successfully copied as plaintext. However, pasteboard type reads public.utf8-plain-text. I use a free application called "Pasteboard Viewer" to verify this.

Expected results:

Pasteboard type should be set to both public-utf8-plain-text and org.nspasteboard.ConcealedType. Google Chrome successfully does this.
My use case is that I use a clipboard manager and would like to ignore copies of passwords and other sensitive data.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Cocoa' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Cocoa
Product: Firefox → Core
Severity: -- → S3
Priority: -- → P3

This bug is reproducible in the current version of Firefox, and the reason is that the calling method never sets the concealed type. Only MacOS should be affected by this issue. I will have a fix up for this soon.

Assignee: nobody → kwright

Thank you!

From my understanding of the issue, we want to preserve the utf8 string type while also adding the org.nspasteboard.ConcealedType as an indicator that a string is private data. I do this by creating a new type to add to the key/value dict we use to set clipboard data. While we handle this on Windows via a flag the windows API provides us, it looks like on MacOS we need to manually specify the data information. I'm unsure if this is quite what the OS intends to see, but with a lack of baseline information from Apple or from testing Safari behaviors, it looks like this might be the right way to go about it.

Kris, in case you weren't aware: you can use an app such as Pasteboard Viewer to see what's placed on the pasteboard. This could help you identify what Safari does in this situation and confirm our behavior against it, before and after your patch.

Flags: needinfo?(kwright)

The issue is Safari doesn't have a password manager, this is why I looked at what Chrome did. (chrome://password-manager/passwords)

In Chrome, copying a password and inspecting Pasteboard Viewer yielded two key/value pairs. One was "public.utf8-plain-text" with the password string, and another was "org.nspasteboard.ConcealedType" with an empty value.

Interestingly, the Keychain Access app does not set the ConcealedType correctly either.

(In reply to Stephen A Pohl [:spohl] from comment #5)

Kris, in case you weren't aware: you can use an app such as Pasteboard Viewer to see what's placed on the pasteboard. This could help you identify what Safari does in this situation and confirm our behavior against it, before and after your patch.

I see now that comment 0 already mentioned Pasteboard Viewer. Maybe the direct link to the app can be helpful.

Pushed by kwright@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ae572fb876bc use nsPasteBoard's ConcealedType on password strings. r=mac-reviewers,bradwerth
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
Flags: needinfo?(kwright)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: