monaco-editor icon indicating copy to clipboard operation
monaco-editor copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Paste menu item doesn't work in sandboxed item

Open raronen opened this issue 4 years ago • 6 comments

We use monaco editor in an iframe sandbox that doesn't permit the navigation.clipboard API. (We don't own the parent frame). So the ctrl + V paste option work but the Paste option in the context menu doesn't work because the frame doesn't allow it.

Is it possible to change the implementation of the paste menu context item so it'll work like the ctrl + v shortcut? Paste menu item: image

Sandbox: pic2

raronen avatar Dec 14 '20 11:12 raronen

  • When pressing Ctrl+V, the editor doesn't treat in any way the keydown/keypress events, so it doesn't call preventDefault() on them, which:
  • This causes a paste event to be created by the browser and we use that event to get the paste data. That is why using Ctrl+V can paste without any browser prompts.
  • The editor context menu is custom-drawn via dom nodes and all the actions in there, including Paste are basically simple dom nodes. Clicking on Paste does not generate a browser paste event, so that is why we must reach the clipboard somehow differently. So we first call document.executeCommand('paste') and if that fails we fall back to navigator.clipboard.readText.
  • In this particular case, for which I pushed a repro test case, navigator.clipboard.readText is defined inside the iframe but invoking it always throws an error: DOMException: The Clipboard API has been blocked because of a Feature Policy applied to the current document. See https://goo.gl/EuHzyv for more details
  • The best we could hope for in this case is to hide Paste from the context menu, but unfortunately I could not find anything on the navigator or on navigator.clipboard which would indicate that navigator.clipboard.readText will permanently throw. I have also followed the link https://goo.gl/EuHzyv to https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes and got to read a bit https://w3c.github.io/webappsec-permissions-policy/ , but the advertised way of finding out the current policies (document.permissionsPolicy) does not appear to be implemented yet.
  • Do you know of a way to detect that the current window is a restricted cross-origin iframe? If we could detect that, we could at least hide Paste from the context menu.

alexdima avatar Dec 29 '20 23:12 alexdima

  • When pressing Ctrl+V, the editor doesn't treat in any way the keydown/keypress events, so it doesn't call preventDefault() on them, which:
  • This causes a paste event to be created by the browser and we use that event to get the paste data. That is why using Ctrl+V can paste without any browser prompts.
  • The editor context menu is custom-drawn via dom nodes and all the actions in there, including Paste are basically simple dom nodes. Clicking on Paste does not generate a browser paste event, so that is why we must reach the clipboard somehow differently. So we first call document.executeCommand('paste') and if that fails we fall back to navigator.clipboard.readText.
  • In this particular case, for which I pushed a repro test case, navigator.clipboard.readText is defined inside the iframe but invoking it always throws an error: DOMException: The Clipboard API has been blocked because of a Feature Policy applied to the current document. See https://goo.gl/EuHzyv for more details
  • The best we could hope for in this case is to hide Paste from the context menu, but unfortunately I could not find anything on the navigator or on navigator.clipboard which would indicate that navigator.clipboard.readText will permanently throw. I have also followed the link https://goo.gl/EuHzyv to https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes and got to read a bit https://w3c.github.io/webappsec-permissions-policy/ , but the advertised way of finding out the current policies (document.permissionsPolicy) does not appear to be implemented yet.
  • Do you know of a way to detect that the current window is a restricted cross-origin iframe? If we could detect that, we could at least hide Paste from the context menu.

How about "window.isSecureContext"?

Arman19941113 avatar Jan 21 '21 07:01 Arman19941113

Want to know how to hide the "paste" menu. I didn't find the way.

Arman19941113 avatar Jan 21 '21 07:01 Arman19941113

I have tried window.isSecureContext and it is set to true in this case, so the inner iframe is considered a secure context.

alexdima avatar Jan 21 '21 15:01 alexdima

Is there any update on this? I am facing the same issue

andresmarty avatar Aug 31 '23 11:08 andresmarty

Changing navigator.clipboard.readText() to window.top.navigator.clipboard.readText() fixes this bug for me. @alexdima, how about it?

adufilie avatar Jan 11 '24 21:01 adufilie