Google Chrome allows websites to write (without asking) to the Windows clipboard

[German]Maybe the issue is known to one or the other blog reader – it was new to me. Web pages accessed in the Google Chrome browser can write directly to the Windows clipboard without further user permission or warning. This could be a security issue if this information can be read by third-party applications.


Advertising

Blog reader Robert G. just emailed me about the issue (thanks for that), which is currently being discussed on Hacker News.

Chrome allows websites to write to the clipboard without the user's permission

Steps to reproduce:

1. Visit https://webplatform.news/ in a Chromium-based browser

2. Inspect your clipboard (paste it somewhere)

I tried this for a short time. The screenshot below shows the web page in question and I then highlighted part of the text of that web page for testing.

Chrome allows websites to write to the clipboard without the user’s permission

The above web page uses the following JavaScript code to write to the clipboard:

try {
  let type = 'text/plain';
  let blob = new Blob(
    [
      'Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user's permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.',
    ],
    { type }
  );
  let item = new ClipboardItem({ [type]: blob });
  navigator.clipboard.write([item]);
} catch (err) {}

Then I called the Windows editor Notepad and transferred the contents of the current clipboard to its window using Ctrl+V. The result looks like this:


Advertising

Windows Clipboard Content

There is a message that the browser has written something to the clipboard via the Web Platform News page (although nothing of the selected text has been copied, as the above code only writes the following, fixed, text).

Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user's permission. Sorry for the inconvenience. For more information about this issue, see github.com/w3c/clipboard-apis/issues/182.

On GitHub the issue in question is described. The web page can write to the clipboard in the Chrome browser using navigator.clipboard.write() or navigator.clipboard.writeText() without the user noticing. On Github it says that both Safari and Firefox require an appropriate user gesture (e.g. highlight, and copy with Ctrl+C). In my test with Firefox, the web page could not write anything to the clipboard.

I did the test in the Ungoogled browser – where writing worked. So the problem should also occur with Edge or other Chromium clones. On Hacker News, a contributor writes about this:

From the Chrome bug[0], it appears that this was changed to work without a gesture because the new tab needs to copy text for a Google doodle….

So instead of changing the new tab to require a gesture like all other sites, they decided to allow any site to copy text to the clipboard. Nice.

I think copying to the clipboard needs to be revamped – even with a gesture. Don't you hate it when news sites put a "- from XYZ" on the clipboard? That shouldn't be possible. I'm not sure how to fix this, but it should be fixed.

[0] crbug.com/1334203

The post in the bug report is probably from a Microsoft employee. For me it seems that readText() may also works. On Hacker News, a former Chrome developer has come forward stating that writing to the clipboard has been a common request.


Advertising

This entry was posted in browser, Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).