Re: [w3c/clipboard-apis] User gesture requirement for Clipboard API access (#52) from Jeff Johnson on 2022-09-03 (public-webapps-github@w3.org from September 2022)

From: Jeff Johnson <notifications@github.com>
Date: Sat, 03 Sep 2022 06:36:41 -0700
To: w3c/clipboard-apis <clipboard-apis@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/clipboard-apis/issues/52/1236122082@github.com>

> Hi folks! As discussed on [today's TAG call](https://github.com/w3ctag/meetings/blob/gh-pages/2021/telcons/07-05-agenda.md) - we think the user activation requirement needs to be very strong - e.g. ^v or selecting paste in a menu. As I wrote in [this comment](https://github.com/w3ctag/design-reviews/issues/636#issuecomment-857829725) on our issue on the pickling review, we think there are some abuse scenarios that are not being given enough weight in the discussion here. It should **not** be possible for a web page to have access to the contents of a user's clipboard without a very high bar of informed consent. This is pretty fundamental to what sets the web apart from other platforms in terms of user safety. Since this issue is still open, what can be done additionally to strengthen the spec (and implementations) in this area?

I've created a [demo and explainer](https://lapcatsoftware.com/articles/clipboard.html) showing how any web page in any web browser can silently overwrite the system clipboard using many innocent user gestures such as pressing the arrow key to scroll down the web page.

In my testing, these DOM events can activate the Clipboard API: click, copy, cut, focusout, keydown, keyup, mousedown, mouseup, selectstart

User gestures are not user consent. There can be no consent without understanding, and users definitely don't understand that these gestures allow their clipboard to be overwritten.

There is some concern that strictly limiting the Clipboard API would make custom UI impossible. Well... maybe it should be impossible. Or maybe there should be an explicit user site permission that makes it possible. In any case, I can imagine some stricter limits than what current exists, such as only allowing a click event on a `<button>` element to activate it.

If you look at one prominent implementation of custom UI, there's Twitter's "Copy link to Tweet". Twitter uses this custom UI to add tracking tags to the end of the tweet URL, which users all hate, and which causes unrelated "More Tweets" to appear when a user loads the tweet. So I can't say that this custom UI is very user friendly. I think these discussions tend to revolve too much around what web developers want and not about what web users want.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/clipboard-apis/issues/52#issuecomment-1236122082
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/clipboard-apis/issues/52/1236122082@github.com>

Received on Saturday, 3 September 2022 13:36:54 UTC