clipboard-apis
clipboard-apis copied to clipboard
w3c
Maybe allow content from same origin to be pasted without extra permission requirement
Currently reading clipboard requires extra permission check, which in Chrome shows a prompt, and in Firefox, only available to extensions.
There is a common case where a web app (any kind of editor) may want to allow user to copy and paste, and it may also want to provide a menu item for "Paste" just like normal apps, which would rely on the ability to read clipboard.
And in many of the cases, user would copy and paste within the same web app.
It is dangerous to allow arbitrary page to read clipboard, but it is probably not so dangerous if the content was originally copied from the same origin.
Web app can already support same origin copy/paste without involving extra permission check via e.g. going through local storage. But this makes it harder to support both native clipboard and such internal clipboard. It would be better to use the native clipboard as the single source of truth.
Thus I suggest that browser can probably check whether a content was originally from the given origin, and if so, allows it to read without any extra permission requirement.
On the implementation side, I think nowadays all systems support storing multiple different data in clipboard, so maybe browser can create an extra slot in the data for the origin information.
Yeah, we've definitely considered this in past. One issue with this proposal is that it leaks the information about if and when the user has content from other app or other origin in the system clipboard.
For example, you can copy some content then continuously try to paste. As long as the paste succeeds, you know the user had not copied anything else in the system or in other origins, and as soon as the paste fails / requires a permission, the user had copied some content elsewhere.
Perhaps this risk can be mitigated if we limited to only under user gesture. This is kind of necessary anyway because it would be bad / crappy user experience to let website trigger a copy but not let the user paste it anywhere else but the website itself.
