Closed Bug 1838845 Opened 1 year ago Closed 1 year ago

Accepting permissions.request does not refresh user activation for DOM API navigator.clipboard

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Version:
Firefox 114
Type:
defect

Tracking

(firefox114 affected, firefox115 affected, firefox116 affected)

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox114 --- affected
firefox115 --- affected
firefox116 --- affected

People

(Reporter: manikulin, Unassigned)

Details

Attachments

(1 file)

2023-06-19_09h49_33.png
48.80 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

Firefox extensions may use clipboard API without the clipboardWrite permission during a short interval after user interaction. Unfortunately accepting a request for an optional_permission does not refresh user activation for DOM API. Consider a case when an add-on needs to get access to a cross-origin frame to extract some text using scripting.executeScript and to copy it to clipboard.

  • Load the extension provided below.
  • Open context menu on a regular web page. Cross-origin iframe is not required for reproducing, any non-privileged page may be used.
  • Wait more than 5 seconds
  • Accept permission request
  • Inspect add-on developer tools console

Actual results:

Text is not copied to clipboard

diff 6.4 seconds bg-cbperm.js:32:11
Uncaught (in promise) DOMException: Clipboard write was blocked due to lack of user activation.
    cbpermAction moz-extension://5f7144e6-8df0-44a7-b2bb-5ddd8a2acdb0/bg-cbperm.js:28
    async* moz-extension://5f7144e6-8df0-44a7-b2bb-5ddd8a2acdb0/bg-cbperm.js:42
bg-cbperm.js:28

Expected results:

No DOMException, text "navigator.clipboard.writeText <DATE-TIME>" may be pasted from clipboard.

The example is not supposed to work in Firefox-102 ESR.

My expectations are based on the bug 1835585 comment 3.

manifest.json

{
	"manifest_version": 3,
	"name": "Permission and copy",
	"description": "Test if accepting permission request refreshes user action context",
	"version": "0.1",
	"permissions": [ "activeTab", "contextMenus" ],
	"optional_permissions": [ "<all_urls>" ],
	"background": { "scripts": [ "bg-cbperm.js" ] },
	"action": {
		"default_title": "Permission and copy"
	},
	"commands": {
		"CBBGN_CMD": {
			"description": "Permission and copy",
			"suggested_key": {
				"default": "Ctrl+Shift+L"
			}
		}
	}
}

bg-cbperm.js

"use strict";

async function cbpermCreateMenu() {
	await new Promise((resolve, reject) => chrome.contextMenus.removeAll(() => {
		const { lastError } = chrome.runtime;
		if (lastError) {
			reject(lastError);
		} else {
			resolve();
		}
	}));
	const contexts = ["all"];
	chrome.contextMenus.create({
		id: "cbperm_MENU", contexts, title: "Permission and copy",
	});
}
async function cbpermAction(reason, tab, clickData) {
	const ts = Date.now();
	// `activeTab` does not give access to cross-origin frames
	// where context menu may be opened. Assume a content script
	// should be run to extract text to copy form the frame.
	const url = clickData?.frameUrl || clickData?.pageUrl
		|| (tab || (await browser.tabs.query({lastFocusedWindow: true, active: true}))[0]).url;
	await browser.permissions.request({origins: [url]});
	try {
		// Accordingly to comments to https://bugzilla.mozilla.org/1835585
		// it is expected that it is possible to copy text to clipboard.
		await navigator.clipboard.writeText(
			"navigator.clipboard.writeText " + new Date().toISOString());
	} finally {
		const diff = (Date.now() - ts)*0.001;
		console.log("diff %.1f seconds", diff);
		if (diff < 5) {
			console.warn("Permission request is accepted too fast");
		}
		await browser.permissions.remove({origins: [url]});
	}
}

cbpermCreateMenu();
// `void` to improve error logging https://bugzilla.mozilla.org/1398672
chrome.contextMenus.onClicked.addListener((clickData, tab) => void cbpermAction("menus", tab, clickData));
chrome.commands.onCommand.addListener(() => void cbpermAction("commands"));
chrome.action.onClicked.addListener((tab) => void cbpermAction("action", tab));

Hello,

I reproduced the issue on the latest Nightly (116.0a1/20230618205154), Beta (115.0b7/20230618180218) and Release (114.0.1/20230608214645) under Windows 10 x64 and macOS 11.3.1.

Accepting the permission request after more than 5 seconds as per the STR will log the DOMException to the add-on console as well as not copy the selected text to clipboard.

For more details, see the attached screenshot.

Status: UNCONFIRMED → NEW
status-firefox114: --- → affected
status-firefox115: --- → affected
status-firefox116: --- → affected
Ever confirmed: true

This behavior is intentional. We don't want to unnecessarily prolong the user interaction.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID

I do not request to prolong user activation for the whole period of time while a permission request popup is displayed. The idea is to consider accepting (and maybe rejecting as well) permission request as another event with its own 5 seconds interval when calls to DOM API are permitted.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: