dom.event.clipboardevents.enabled is required to get copy/paste working on Google Docs

[fmarier]

For copy/paste to work on Google Docs using the keyboard (Ctrl+C, Ctrl+X, Ctrl+V), it needs dom.event.clipboardevents.enabled to be enabled.

We could however disable dom.allow_cut_copy (introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1170911) since that appears to only be required for using the clipboard using the mouse UI.

I'm not sure what the best path forward is here, but here are ideas:

• adding a comment to mention keyboard clipboard operations next to the dom.event.clipboardevents.enabled pref
• commenting it out the pref by default to prevent breakage
• adding dom.allow_cut_copy = false by default to prevent sites from tampering with the clipboard contents

[nodiscc]

dom.allow_cut_copy was added in #277, set to false, as @Thorin-Oakenpants noted we should keep enforcing false for both, but is definitely something to consider for a relaxed variant/branch #231 (set both prefs to true)

[nodiscc]

SVG

#276

If you are afraid of breakage, then you should revisit

#231 :)

[gcb]

Does disabling this actually prevents clipboard reading without user initiating a paste action?

[pyllyukko]

Does disabling this actually prevents clipboard reading without user initiating a paste action?

I sure as hell hope so! Otherwise random sites could read everything you put in there and that would be a security disaster.

[gcb]

I was probably too tired when i wrote that earlier comment :)

I meant, having this (as in the change to user.js being discussed) disabled (as in, having the firefox setting enabled) does prevent clipboard reading at random times?

I guess, a better question, what are the attack vectors we are trying to fix by disabling this?

One case I know that is actively exploited in the wild is clipboard pollution, which is still a problem on most browsers. Thanks to github and others wanting to add to your clipboard when you click the "copy" button because all users are too dumb to copy text, sites can add whatever they want to your clipboard if you visit them. This would fix it, but it is pretty low severity.

I am not aware of any way to get data from clipboard unless user initiate a paste event into the site.

So, having a way to prevent writing to clipboard while allowing paste would be the best of both world. Top security. Top usability.

[pyllyukko]

One case I know that is actively exploited in the wild is clipboard pollution, which is still a problem on most browsers.

I guess this is the main case with this/these setting(s).

So, having a way to prevent writing to clipboard while allowing paste would be the best of both world.

BTW. I was wondering whether there are other apps than Google Docs where Ctrl+V breaks 🤔 Because it seems to work in most places.

[gcb]

BTW. I was wondering whether there are other apps than Google Docs where Ctrl+V breaks 🤔 Because it seems to work in most places.

Everywhere you have rich-paste (i.e. you can paste images, etc)

To accomplish this, they use some badly coded react component that uses DIV instead of proper INPUT html element. So if you initiate a paste event without the java-script hacks, you just pasted nowhere on the page and it will be ignored.

bug examples i can think of:

• reddit and most other forums (easily worked around by switching to markdown/source edit mode. which gives you a textarea)
• element.io, no workaround.

examples that do it right:

• whats app web (you can still paste text because they use a hidden textarea to capture input and only replace it on display)