Comment by mrguyorama

Comment by mrguyorama 15 hours ago

Why can a website silently add stuff to my clipboard anyway? Firefox and Safari require "transient activation" to enable clipboard actions, which apparently only means you clicked your mouse (anywhere) or made a keystroke. What a brilliant security/permission strategy for such an important function, which can do things like expose your password, modify copied links, shuttle information across web page security and isolation boundaries etc

Chrome at least requires a prompt for reading clipboard contents, which is apparently "diverting from the specifications"!

Who came up with this? Why is every feature in web browsers and javascript built in the dumbest way possible? At least in Win32 when it says "you should only touch the clipboard on request from the user" they have the excuse that it was 1995 and there was very little information to muck with or steal on the average computer! Even then they still worked towards hardening the functionality.

Web browsers implemented this in 2018!

duskwuff 14 hours ago

> Why can a website silently add stuff to my clipboard anyway?

It's copying content to the clipboard after the user clicks the "I'm not a robot" button. This is indistinguishable from the user clicking a "copy to clipboard" button on a web page, or clicking through an "edit > copy" menu - the only difference is user intent.

Reply View 0 replies

LorenPechtel 14 hours ago

There was a click in the sequence. More of an issue I think is that it sounds like this executes immediately. If so I think the proper fix is to preclude Powershell from accepting any form of execution from the clipboard--you can paste in the command but the user must execute it.

Reply View 1 reply

nullindividual 12 hours ago

The user is executing the script. They're pasting it in and hitting 'run' in the run dialog box.

Reply View | 0 replies