So, uh, we apparently do all this work to not let web pages touch the clipboard, but we allow them to mutate the selection arbitrarily? Like, say, right before I copy (which we send an event about). We should make the document's selection range immutable to content script or something.
The website could hide arbitrary data in the selection anyway with display:none blocks... why not let them change the selection? This seems like a feature, not a bug.
> The website could hide arbitrary data in the selection anyway with > display:none blocks. If display:none content was copied that would be a flaw too. Yes it should be valid to move the selection to include it, but copy should only copy what it visible to the user, so display:none content would be ignored.
It's not possible to "fix" this from a security standpoint, because there are a gazillion ways a site can mislead you as to the contents of a selection: font-size:0, opacity:0, absolute positioning, fonts that make the character 'a' look like a 'z', image alt text. So we'd prefer to make copying as usable as possible, and that means including image alt text (bug 212177) and allowing scripts to suggest correct text (useful for bespin, spreadsheets). We plan to not copy display:none text (bug 39098), not for security reasons, but because users keep hitting it. See previous security discussion in bug 57770 and bug 39098. It's unfortunate that Esquire has decided to hurt usability by stuffing their URL into all copies, but they're not being malicious, just greedy.
I am curious what method Esquire is using, fwiw.
On the copy event, they create a display:hidden div with the "Read more: ..." link as the contents. Then they extend the document's selection range to contain that div.