Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore gesture requirement for async clipboard write access #16890

Closed
ShivanKaul opened this issue Jul 10, 2021 · 11 comments · Fixed by brave/brave-core#14901
Closed

Restore gesture requirement for async clipboard write access #16890

ShivanKaul opened this issue Jul 10, 2021 · 11 comments · Fixed by brave/brave-core#14901
Assignees
@bsclifton @mkarolin
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include
Milestone
1.43.x - Release #4

Comments

@ShivanKaul
Copy link
Collaborator

ShivanKaul commented Jul 10, 2021
edited
Loading

Chromium 66+ implements Asynchronous Clipboard API. Chromium, in contrast to Safari and Firefox, allow a website to write to the user's clipboard using navigator.clipboard.writeText()/write() without a user gesture (only criteria is that the tab should be active).

We should require a user gesture (click, touch events) to enable use of navigator.clipboard.writeText() and navigator.clipboard.write(). Else, promise should reject.

Demo website that attempts to write to the user's clipboard: https://shivankaul.com/brave/clipboard-paste.html (if you get a success message, try to paste)
@ShivanKaul ShivanKaul added OS/Android Fixes related to Android browser functionality OS/Desktop privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy labels Jul 10, 2021
@ShivanKaul ShivanKaul added the priority/P4 Planned work. We expect to get to it "soon". label Jul 27, 2021
@ShivanKaul
Copy link
Collaborator Author

mozilla/standards-positions#89

@tomayac tomayac mentioned this issue Aug 11, 2022
Closed
@UjCbFwtBayFM UjCbFwtBayFM mentioned this issue Aug 27, 2022
Closed
@markg85
Copy link

markg85 commented Aug 28, 2022

Could this be re-evaluated?
Personally i really don't like this clipboard feature at all and want it gone in it's entirety.. That's probably not going to happen so please put it behind a permission request at the very least.

@androolloyd
Copy link

Am here to voice concern over this, its incredibly invasive and I would like to see it removed entirely from the Brave engine.

@bsclifton bsclifton self-assigned this Aug 30, 2022
@rebron rebron added priority/P2 A bad problem. We might uplift this to the next planned release. and removed priority/P4 Planned work. We expect to get to it "soon". labels Aug 30, 2022
@bsclifton
Copy link
Member

When it's time to try the fix, we'll need to go shields down to test the test page when fixing as EasyList is blocking what is required to test the gesture

@mkarolin mkarolin mentioned this issue Aug 30, 2022
Merged
25 tasks
@markg85
Copy link

markg85 commented Aug 30, 2022

Thank you for fixing brave!
Still, imho this entire feature shouldn't exist.. but having it be a permission check and false by default probably make it much less of an issue.

Interesting that this check was removed on the Chrome side for a freaking doodle new tab page purpose... It's beyond me how they can't (or won't) see that change to potentially be quite dangerous.

@fmarier fmarier changed the title Require user gesture for async clipboard write access Restore gesture requirement for async clipboard write access Aug 30, 2022
@mkarolin mkarolin added this to the 1.45.x - Nightly milestone Aug 31, 2022
@mkarolin
Copy link
Contributor

Test Plan
Please, see brave/brave-core#14901

This was referenced Aug 31, 2022
Merged
Merged
@ShivanKaul ShivanKaul mentioned this issue Sep 1, 2022
Closed
@kjozwiak
Copy link
Member

kjozwiak commented Sep 7, 2022

The above will require 1.43.91 or higher for 1.43.x verification 👍

@LaurenWags LaurenWags added QA/Test-All-Platforms QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Sep 8, 2022
@LaurenWags
Copy link
Member

LaurenWags commented Sep 8, 2022
edited
Loading

Verified with

Brave | 1.43.91 Chromium: 105.0.5195.102 (Official Build) (x86_64)
-- | --
Revision | 4c16f5ffcc2da70ee2600d5db77bed423ac03a5a-refs/branch-heads/5195_55@{#4}
OS | macOS Version 12.5.1 (Build 21G83)

Reproduced the issue using 1.43.88 and STR from brave/brave-core#14901 (comment).
Checked with shields up and shields down as per #16890 (comment).

1.43.88 Shields Up 1.43.88 Shields Down
1 3
2 4

Verified issue does not occur with 1.43.91. Checked with shields up and shields down.
When pasting in a new tab, my clipboard was no overwritten, it was the same text I had prior to visiting the page.

1.43.91 Shields Up 1.43.91 Shields Down
1 3
2 4

Note - Per brave/brave-core#14901 (comment), if you see "NotAllowedError" message this is ok as well. I did see this when changing shield settings.

@LaurenWags LaurenWags added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Sep 8, 2022
@MadhaviSeelam
Copy link

MadhaviSeelam commented Sep 8, 2022
edited
Loading

Verification PASSED using

Brave | 1.43.91 Chromium: 105.0.5195.102 (Official Build) (64-bit)
-- | --
Revision | 4c16f5ffcc2da70ee2600d5db77bed423ac03a5a-refs/branch-heads/5195_55@{#4}
OS | Windows 11 Version 21H2 (Build 22000.856)

Reproduced the issue using 1.43.89 and STR from brave/brave-core#14901 (comment).
Checked with shields up and shields down as per #16890 (comment).

1.43.89 Shields Up 1.43.89 Shields Down
image image
image image

Verified issue does not occur with 1.43.91. Checked with shields up and shields down.
When pasting in a new tab, my clipboard was not overwritten, it was the same text I had prior to visiting the page.

1.43.91 Shields Up 1.43.91 Shields Down
image image

Note - Per brave/brave-core#14901 (comment), if you see "NotAllowedError" message this is ok as well. I did see this when changing shield settings. (Refreshed the page and the error message was dismissed)

@btlechowski
Copy link

Verification passed on

Brave 1.43.92 Chromium: 105.0.5195.102 (Official Build) (64-bit)
Revision 4c16f5ffcc2da70ee2600d5db77bed423ac03a5a-refs/branch-heads/5195_55@{#4}
OS Ubuntu 18.04 LTS

Verified brave/brave-core#14901

Reproduced in 1.43.88
Verified in 1.43.92

shields on ![image](https://user-images.githubusercontent.com/34715963/189639263-4d473d42-2d7a-46cf-a314-cb040c9785a0.png)

shields down
image

@srirambv
Copy link
Contributor

srirambv commented Sep 13, 2022
edited
Loading

Verification passed on Oppo Reno 5 with Android 12 running 1.43.92 x64 build

  • Reproduced the issue on 1.43.88
  • Verified with both Shields Up/Down
1.43.88 1.43.92
image image

Verification passed on Samsung Tab A with Android 10 running 1.43.92 x64 build

  • Reproduced the issue on 1.43.88
  • Verified with both Shields Up/Down
1.43.88 1.43.92
image image

@LaurenWags LaurenWags mentioned this issue Sep 13, 2022
Closed
@kjozwiak kjozwiak mentioned this issue Sep 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsclifton bsclifton

@mkarolin mkarolin

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include
Projects
None yet
Milestone
1.43.x - Release #4
Development

Successfully merging a pull request may close this issue.

Reverts Chromium's [Clipboard API] Remove user gesture requirement fo… brave/brave-core