Chrome 107: Keyboard shortcut triggers "Reading Clipboard" warning

[yorkxin]

Summary

In Chrome, using keyboard shortcut to extract one or more tabs as Markdown to system clipboard triggers the following privacy warning on the web page:

Reproduction Steps

1. Set keyboard shortcut for Copy as Markdown in Chrome (any command)
2. Press the shortcut on a web page

Expected Behavior

• It copies tab(s) as Markdown to Clipboard

Actual Behavior

• A browser popup appears, asking the user to choose whether to approve or reject clipboard reading.

Reproducible Environment

• Browser (Version): Chrome 107
• Operating System (Version): macOS 13
• System Language: N/A
• Example Webpage (if applicable): N/A

[edrex]

It's weird: the extension is doing the reading, not the webpage. Is it the position of the chrome security team that extension context can leak into the page so they are overlapping contexts?
Or, is there some injected code being run in the page context that triggers the warning? If so, is there any way to replace it with code running in the extension context?

[edrex]

Also 😭 why U break my workflows chrome??

[edrex]

Looking at https://github.com/yorkxin/copy-as-markdown/blob/master/src/lib/clipboard-access.js I have a guess: chrome newly has added navigator.clipboard but it triggers the warning. Maybe conditionally skip that block if we're in chrome? edit: removing the try block with the navigator.clipboard call avoids the error, so yes it's that call.

[yorkxin]

@edrex Thanks for your input.

the extension is doing the reading, not the webpage.

To be clear, this extension only does writing into the clipboard, not reading.

edit: removing the try block with the navigator.clipboard call avoids the error, so yes it's that call.

I poked around the code related to clipboard, permissions, content scripting etc. and it seems that the permission warning appears when either navigator.clipboard or document.execCommand("Copy") is used.

Sometimes the warning don't appear anymore once I choose "Approve", other times it just don't appear on a different site. I can't realize what dismisses the warning.

In this case, right-click menu is working, popup is working, only keyboard shortcut is broken. Keyboard shortcut requires special hacks with content script because Chrome doesn't like the program run copy without explicit user interaction, and at least since one version of Chrome, runtime.onCommand (keyboard) doesn't count as user interaction in background script.

The most recent issue in Chromium I can find is this one: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203

All features are working well in Firefox. I would assume this is a Chromium-specific issue.

[yorkxin]

Asked question on Chromium bug tracker: https://bugs.chromium.org/p/chromium/issues/detail?id=1334203#c30

[yorkxin]

I'm trying to find a viable workaround here: https://github.com/yorkxin/copy-as-markdown/pull/111/files

It looks like the dialog won't be triggered using document.execCommand. I've been told by MDN that this API should be deprecated in favor of navigator.clipboard, so I am not comfortable going back to the old method again...

[yorkxin]

Tracking: https://bugs.chromium.org/p/chromium/issues/detail?id=1382608

[yorkxin]

Tried to solve this with a workaround using permission query API in #111. It turns out: on every page you visit, the first time invoking keyboard shortcut will not work (even if the console log suggest that it is using textarea, which should work). It only works after the first time you use context menu. And because permission query is handled in an async function, it silently fails.

[yorkxin]

It looks like the problem with textarea is that if the document is not focused (not sure if this is the right terminology), then document.execCommand will return false.

• Reload the page - document is not 'focused' - can't copy
• Click anywhere on the page - document becomes 'focused' - can copy
• Right click on the page and select Copy as Markdown item - I literally just clicked on the page - can copy

Now I need to figure out what makes a page 'focused'...

[yorkxin]

Continue working in #112

[yorkxin]

Need some UI to show such error. Considering chrome.actions.openPopup() when such error happened.

https://developer.chrome.com/docs/extensions/reference/action/#method-openPopup

[cdbattags]

So with all of these options, will it require the website to specifically have clipboard access?

It's crazy that Chromium/Chrome team believes this is "WAI". I wonder what changed recently. I trust this extension way more than I trust these websites 😅.

[yorkxin]

@cdbattags

I trust this extension way more than I trust these websites

Thanks. That means a lot to me!

In terms of website permission, it looks like there is no need to require the website to have clipboard access for Copy as Markdown to work.

there are two ways to write to clipboard:

1. Native navigator.clipboard API
2. legacy document.execCommand('copy') call in a textarea.

The native API triggers permission warning, the legacy method does not, but it returns false in some cases.

From what I have observed, it seems that 'user gesture' is the keyword:

Using mouse will always work -- it has a 'user gesture'. This is why it works for context menu and extension popup.

Calling the native API directly without any mouse interaction, requires permission. This is the case of Keyboard Shortcut. Since the code is executed in the content script i.e the web page's context, Chrome shows warning about the website trying to access clipboard, which can be seen as a false positive but also true positive.

Calling the legacy method without any mouse interaction, may or may not work depends on browser. The execCommand function returns false when browser decided that writing to the clipboard is not allowed. On Firefox it happen when the textarea is hidden. On Chrome it happens when you have not click on the web page yet. I am not sure if this counts as 'user gesture' though.

Moving forward, I'm thinking about a few solutions:

• Warn the user when content script detects that document.execCommand failed because they just switched the tab. This introduces annoying UX to keyboard-heavy users.
• Try to use Extension Popup to write to clipboard, and work around permission warning for good. (In the context of Extension, so no more hacking Content Script)

Both require further investigation, and I have no timeline for either of them. I'll try my best during my free time.

Meanwhile, please try an RC version here:

https://github.com/yorkxin/copy-as-markdown/releases/tag/v2.7.0rc2

This one won't trigger permission warning on Chrome, but will show a red X icon when copy failed.

[yorkxin]

Found a workaround: inject an iframe to an HTML page that performs document.Copy 🤯

Need to do some more tests...

#113

[yorkxin]

@edrex @cdbattags Hi, I've released a beta version of Copy as Markdown v2.7.0rc4. This version fixed the issue that Keyboard Shortcuts on Chrome may not work. It'd be very helpful if you could try it in your daily workflow, and see if the issue happens again.

To test:

1. Go to Chrome's "Extensions" page (chrome://extensions).
2. Disable Copy as Markdown (no need to uninstall)
3. Download v2.7.4rc4 crx file from https://github.com/yorkxin/copy-as-markdown/releases/tag/v2.7.0rc4
4. Drag and Drop the downloaded file to Chrome's Extensions Page

When reporting the test results, please also let me know what operation system and what version of Chrome you're using.

Thanks!

[selfpublish]

So far so good. No issues! To clarify the installation a bit: after you drag the .crx file into your extensions window, you need to turn the original plug-in back on. The .crx patches the existing plugin to fix the issue. Thank you Yucheng!

[cdbattags]

Hmmm, looks like it's working but got this message:

I wonder where that came from?

[yorkxin]

@selfpublish Actually could you try disabling the original plug-in, and only enabling the CRX version? The CRX file should be able to work by itself. Please also configure the keyboard shortcut for the CRX version. Thanks!

[yorkxin]

@cdbattags Haha, I see. Of course Google won't allow any extension to inject code into its own websites. I'll try to work around this issue in the follow up versions.

Meanwhile, could you try other non-Google websites?

[edrex]

Copying the current URL via the keyboard shortcut seems to work, even without "focusing" the page. Thank you for putting in the time to get this working, and for continuing to support this very useful extension @yorkxin!

wrt installing the test CRX from Github:

• I found that just dragging it into extensions replaced the (still enabled) chrome web store version, and kept the configured keyboard shortcut.
• @cdbattags I believe that message is shown whenever chrome downloads a crx file. It's just saying "I won't install that automatically".

[cdbattags]

From my testing on two different Chrome profiles this looks good to go!

[yorkxin]

@edrex @cdbattags @selfpublish Thanks for helping me with the testing. I have published version 2.7.1 on Chrome Web Store and Firefox Add-Ons store. Please uninstall the standalone crx version (the one with rc1 in the version name), and install the release version from web stores. It may take a few hours for them to become available in your region.

Let me know if you have any questions!