Don't recommend user gesture in clipboard API #75
Comments
|
@CendioOssman: does it imply that all JS functionality requiring transient activation is broken when using a remote desktop application like Cendio? If there's are any news about this issue, please share them here. |
|
Anything supporting transient activation should work fine in our scenarios, if I'm reading that description correctly¹. Assuming the transient activation duration is long enough to cover sending the notification over the network, having the remote applications react, and send a request back. What won't work is things that must be done before returning from an event handler. We are simply too asynchronous for that. And it was my understanding that this was/is how some user activated things are blocked? ¹ There might be some corner cases, but I would assume 99% of applications only do clipboard operations as a result of a keyboard key or mouse button |
|
Thanks for your fast response.
Yes, Safari apparently requires calling For Gecko/Firefox, I'm currently considering to allow calling But I'm wondering, couldn't your application use an async event handler and wait for the result in there?
|
Partially answering my own question: with Safari one might run into the limitation mentioned in https://bugs.webkit.org/show_bug.cgi?id=222262. However, from a security and privacy perspective, I don't understand that limitation. |
|
Adding Agenda label since this might affect the permission PR #164 as well. |
Weak "maybe" on that. The problem is that we don't know which events will trigger a clipboard request. Which means we would need to assume every event could do so. So how would we do a wait if we don't know if that wait would ever complete? Might be some method that works here, but it sounds very hacky and brittle. |
|
Hmm... Transient activation might be an issue on clipboard write. Transferring the clipboard data could be a very slow process for large things (e.g. huge image, or a file). Does the API consider this scenario? I.e. we would need some way to signal that we will be writing to the clipboard, we just need more time to actually provide types and contents. |
|
ClipboardItemData takes a Promise to the Blob/DOMString that you can resolve whenever the data is available. The transient user activation restriction is only for the clipboard.write() call. |
|
I think that should work for us the way things look right now. There is one gotcha in that the mime types need to be provided up front, not via a Promise. So for protocols that don't put the types early this might be an issue. Hopefully those are rare. |
@CendioOssman: does it mean this ticket should be closed?
True, interesting corner case. |
The immediate explanation for this limitation is that we (WebKit) use the same I think we could probably relax this constraint, such that the "user interaction" is valid as long as:
|
|
@whsieh that's great. It would be ideal if it was aligned with the transient activation model of the HTML Standard. The more features rely upon the same mechanism the better for web developers. |
I'm not familiar with your procedures, but if everything here uses transient activation then we should be good for our use cases. Safari needs to be brought in line though before things will work in practice.
I would prefer a few seconds to handle performance hiccups (CPU, network, etc.) that could cause delays. We have more than just JavaScript performance in the browser to worry about. It would also be nice if there is some consensus among the browser implementations on this point. |
@whsieh thanks for the explanation.
In Gecko/Firefox it's currently 5 seconds (https://searchfox.org/mozilla-central/rev/cf77e656ef36453e154bd45a38eea08b13d6a53e/modules/libpref/init/StaticPrefList.yaml#3775-3778).
The third point refers to |
|
The Web Editing Working Group just discussed The full IRC log of that discussion<Travis> topic: Don't recommend user gesture in clipboard API<Travis> github: https://github.com//issues/75 <Travis> johanneswilm: last time the action was whsieh will check user-activation spec and propose number of seconds. <Travis> .. and BoCupp said 1s seems reasonable. <Travis> whsieh: I haven't yet decided on a specific value of seconds... :( <Travis> .. I think we should just start with 1s and increase if needed. <Travis> BoCupp: refresher: why the number of seconds? (Can't remember the details) <Travis> .. when writing to clipboard you can write immediately. Waiting on the network, etc., isn't a problem except for the timing of performing the write call. <Travis> whsieh: in this case the requestor doesn't know whether they want to call clipboard write during the user gesture. <Travis> johanneswilm: e.g., in remote desktop they don't know if anything's on the clipboard. <Travis> .. do I hear correctly that 1s is the recommendation? <Travis> whsieh: I think we should start more conservatively. Chrome/Firefox time is currently 5s. <Travis> .. Webkit's user activation time is 1s everywhere else. This would match everything else. <Travis> .. then eventually we could move everything to match other browser (user-activation time delay to perhaps 5s) <Travis> .. right now there is no delay--it has to be during the event handler. <Travis> BoCupp: Even in navigator.clipboard.write? <Travis> whsieh: yes, in webkit. <Travis> .. like touchstart--other things we consider user activation. <Travis> .. it has to be synchronously as part of the user gesture (no async stuff) <Travis> johanneswilm: So, 1s? Will other browsers change? <Travis> BoCupp: I feel like (no number of seconds) will ever be enough for some of these scenarios. <Travis> johanneswilm: should there be a minimum? <Travis> .. e.g., in firefox it's 5s? But other browsers have faster times (500ms), then it will break everywhere else. <Travis> .. but if it's written down as 1s, then there's an expectation set. <Travis> BoCupp: I'm not inclinded to write the 1s (or other time) anywhere. Would rather provide affordances for delaying rather than just changing the number of seconds for this [edge case]. <Travis> .. 5s seems like a really long time for a user-gesture... <Travis> BoCupp: Would like to say in the issue--not likely to change this. There's no guarantee that this will solve all use cases... <Travis> .. wondering if this is the kind of issue we don't need to put in the spec. <Travis> whsieh: having some delay (in WebKit) would help, since there's currently no delay. <Travis> johanneswilm: So, we don't want to specify any value, but should just say some amount of time? <Travis> BoCupp: If we did say it, we wouldn't put it in our spec... should probably go to user-activation spec? <Travis> .. increasing the seconds to solve this problem isn't really solving the problem. <Travis> .. I do like having a consideration for introducing an async delay. <Travis> .. I like the idea of having whsieh post to the issue and indicate they may take some action... <Travis> action: whsieh to post to the issue and indicate a plan to make an adjustment to support async delay of some sort to handle this scenario. |
|
We (WebKit) will experiment with allowing clipboard writes to be initiated with a timeout of 1 second, which I believe should mostly address the primary issue here (which is that there is currently no "activation grace period" in WebKit). 1 second is also consistent with the existing maximum user gesture forwarding time limit in WebKit. I think we can discuss relaxing this to 5 seconds to match Firefox in the future. |
In this change, we are adding a histogram to see if sites are calling async clipboard APIs without transient user activation. This will help us determine whether we can make transient user activation a strict requirement for async APIs regardless of what formats are being read/written. This will also help address the below github issue: w3c/clipboard-apis#75 (comment) Bug: 106449 Change-Id: I269eb69695a5d41b02db29732bab7144ffcfa8d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3650789 Reviewed-by: Austin Sullivan <[email protected]> Reviewed-by: Stephen Chenney <[email protected]> Commit-Queue: Anupam Snigdha <[email protected]> Cr-Commit-Position: refs/heads/main@{#1005514}
In this change, we are adding a histogram to see if sites are calling async clipboard APIs without transient user activation. This will help us determine whether we can make transient user activation a strict requirement for async APIs regardless of what formats are being read/written. This will also help address the below github issue: w3c/clipboard-apis#75 (comment) Bug: 106449 Change-Id: I269eb69695a5d41b02db29732bab7144ffcfa8d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3650789 Reviewed-by: Austin Sullivan <[email protected]> Reviewed-by: Stephen Chenney <[email protected]> Commit-Queue: Anupam Snigdha <[email protected]> Cr-Commit-Position: refs/heads/main@{#1005514} NOKEYCHECK=True GitOrigin-RevId: 88afaabd3ee6e7413e379870c9cd7dba77e3353d
The new async clipboard API suggestion is a very nice step forward. However it still (vaguely) recommends user gestures as a way to prevent abuse. This method makes the clipboard API completely unusable for our use case so I'd like to plead for a recommendation against that in favour of other protection.
The use case here are remote desktop applications. The entire interface is server side so the Javascript is not aware of any of the logic, or even the layout. Hence it cannot connect user gestures with a clipboard update.
The flow would basically be:
keydownevents.This method is currently blocked, and would continue to be blocked unless browsers stop requiring a user gesture to access the API.
The text was updated successfully, but these errors were encountered: