Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
James, I personally think it would be a really good idea. But I am not a browser implementor. Overall, I agree with you that writing to the clipboard, only within a click or key event processing maybe?, is likely to be a non-concern on privacy. I would love to hear others' feedback. Is maybe a first step something such as a browser-extension? Did you hear brags about users of websites that allowing copy was not a good idea? (I heard a brag close to it by TimBL and J Gruber about the usage of clipboard injection: http://lists.w3.org/Archives/Public/www-tag/2010Jun/0007.html are we close to that? I think not but maybe can such a feature get close to it?) Paul On 12 juil. 2013, at 21:57, James Greene wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events What about enabling so enabling semi-restricted programmatic clipboard injection on a page if the user grants their express permission via a once-per-domain security prompt (similar to the Geolocation API)? IOW, given a user's express permission to the origin and following a user's pointer event or keyboard interaction, I would like to be able to simulate the `copy` event (and the `beforecopy` event, if practical). I'm not quite sure how far this will go as clipboard poisoning is always a real concern. In fact, I understand that better than most, since my desire to get such an adaptation to the Clipboard API spec is the direct result of my work as the co-maintainer of the popular ZeroClipboard library (used by GitHub, bit.ly, and many other sites). Jon and I would like nothing better than to eliminate ZeroClipboard's dependency on Flash but that is unattainable given the current restrictions of this spec. If Flash doesn't live on for anything else, it may well live on longer than it should for its unmatched ability to do programmatic clipboard injection after a user's click or keypress. :( Thoughts? Sincerely, James Greene http://jamesgreene.net/
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
On Jul 12, 2013, at 12:57 PM, James Greene james.m.gre...@gmail.com wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events What about enabling so enabling semi-restricted programmatic clipboard injection on a page if the user grants their express permission via a once-per-domain security prompt (similar to the Geolocation API)? IOW, given a user's express permission to the origin and following a user's pointer event or keyboard interaction, I would like to be able to simulate the `copy` event (and the `beforecopy` event, if practical). I don't want the clipboard API specification to mandate one behavior or another. It's something each browser vendor should be able to decide. - R. Niwa
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
On Jul 12, 2013, at 12:57 PM, James Greene james.m.gre...@gmail.com wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events On Wed, Jul 24, 2013 at 5:18 PM, Ryosuke Niwa rn...@apple.com wrote: I don't want the clipboard API specification to mandate one behavior or another. It's something each browser vendor should be able to decide. That's the situation we are in now and it sucks for developers. We should be able to do better. -- http://annevankesteren.nl/
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
Paul: Looking at TimBL's 2010 post, I feel like it's from a slightly era in the web's lifetime. Looking at this problem again with today's web, I'd rather see the ability for clipboard injection become a standard available API and rather create a browser extension to *prevent* it rather than to *enable* it. To me, it's reminiscent of the discussion that probably occurred when the ability to create popup windows was first introduced, and then AdBlock (and similar apps, browser extensions, etc.) were soon to follow. Hell, I'd be happy to write some of the extensions myself if it helps push my agenda. ;) Sincerely, James Greene On Wed, Jul 24, 2013 at 3:22 PM, Paul Libbrecht p...@hoplahup.net wrote: James, I personally think it would be a really good idea. But I am not a browser implementor. Overall, I agree with you that writing to the clipboard, only within a click or key event processing maybe?, is likely to be a non-concern on privacy. I would love to hear others' feedback. Is maybe a first step something such as a browser-extension? Did you hear brags about users of websites that allowing copy was not a good idea? (I heard a brag close to it by TimBL and J Gruber about the usage of clipboard injection: http://lists.w3.org/Archives/Public/www-tag/2010Jun/0007.html are we close to that? I think not but maybe can such a feature get close to it?) Paul On 12 juil. 2013, at 21:57, James Greene wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events What about enabling so enabling semi-restricted programmatic clipboard injection on a page if the user grants their express permission via a once-per-domain security prompt (similar to the Geolocation API)? IOW, given a user's express permission to the origin and following a user's pointer event or keyboard interaction, I would like to be able to simulate the `copy` event (and the `beforecopy` event, if practical). I'm not quite sure how far this will go as clipboard poisoning is always a real concern. In fact, I understand that better than most, since my desire to get such an adaptation to the Clipboard API spec is the direct result of my work as the co-maintainer of the popular ZeroClipboardhttps://github.com/zeroclipboard/ZeroClipboard library (used by GitHub, bit.ly, and many other sites). Jon and I would like nothing better than to eliminate ZeroClipboard's dependency on Flashhttps://github.com/zeroclipboard/ZeroClipboard/issues/171 but that is unattainable given the current restrictions of this spec. If Flash doesn't live on for anything else, it may well live on longer than it should for its unmatched ability to do programmatic clipboard injectionhttp://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html#setData() after a user's click or keypress. :( Thoughts? Sincerely, James Greene http://jamesgreene.net/
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
Hallvord — I have also long agreed that clipboard poisoning is rarely that big of an issue so long as we're not enabling programmatic reading of the clipboard during a copy event (which I would agree is completely unnecessary). As you said, since Flash is already an available option to do this today (and can thus only be prevented by disabling Flash, or enforcing specialized clipboard sandboxing at a system level), moving it into the DOM world isn't a big stretch by any means. I also agree that making this ability the default is not unreasonable anymore but I thought that might be a bit of a stretch... happy to see that I am wrong. :) Sincerely, James Greene On Wed, Jul 24, 2013 at 5:34 PM, Hallvord Steen hst...@mozilla.com wrote: [Replying to Paul's mail but it's really a response to James - sorry, Paul..] On 12 juil. 2013, at 21:57, James Greene wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events Correct. What about enabling so enabling semi-restricted programmatic clipboard injection on a page if the user grants their express permission via a once-per-domain security prompt (similar to the Geolocation API)? Well, with my spec editor's hat on: Nothing really prevents UAs from implementing this already. They could hook up document.execCommand('Copy') to whatever that UA's convention for a security permission prompt is. I'd like to see this, actually. That said, this functionality doesn't really have privacy implications (as long as it is about programmatically *writing to*, not *reading from* the clipboard) so it's mostly just about preventing nuisance, plus some slightly far-fetched security threats (which aren't all that credible if they are not already exploited with Flash's clipboard implementation). Our intentions as implementors has sort of moved towards enabling all the cool stuff apps and sites might do, and away from trying to control nuisance. It's quite possible to argue that writing to the clipboard should be enabled by default. -Hallvord
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
Ryosuke Anne — Agreed with Anne, leaving it up to the browser vendors an agreed upon standard (or at least marching direction) means zero progress. Sincerely, James Greene On Wed, Jul 24, 2013 at 7:32 PM, Anne van Kesteren ann...@annevk.nl wrote: On Jul 12, 2013, at 12:57 PM, James Greene james.m.gre...@gmail.com wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events On Wed, Jul 24, 2013 at 5:18 PM, Ryosuke Niwa rn...@apple.com wrote: I don't want the clipboard API specification to mandate one behavior or another. It's something each browser vendor should be able to decide. That's the situation we are in now and it sucks for developers. We should be able to do better. -- http://annevankesteren.nl/
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
Oh, and for the record, the analytics company discussed in the Tim BL's post could've really still manage to do what they were doing without any copy events at all, it just would've been less accurate. For example, they could've just as easily added event handlers for right-click (contextmenu) or Ctrl+C keypresses when there is an active text selection and make the assumption that the user intended to copy that text. They might be wrong some of the time with the right-click handling but it would still be factual that the user at least had a special interest in the text selection. I actually think that kind of analytics is awesome — so long as it isn't being used for evil, of course. :) Sincerely, James Greene On Wed, Jul 24, 2013 at 8:07 PM, James Greene james.m.gre...@gmail.comwrote: Paul: Looking at TimBL's 2010 post, I feel like it's from a slightly era in the web's lifetime. Looking at this problem again with today's web, I'd rather see the ability for clipboard injection become a standard available API and rather create a browser extension to *prevent* it rather than to *enable* it. To me, it's reminiscent of the discussion that probably occurred when the ability to create popup windows was first introduced, and then AdBlock (and similar apps, browser extensions, etc.) were soon to follow. Hell, I'd be happy to write some of the extensions myself if it helps push my agenda. ;) Sincerely, James Greene On Wed, Jul 24, 2013 at 3:22 PM, Paul Libbrecht p...@hoplahup.net wrote: James, I personally think it would be a really good idea. But I am not a browser implementor. Overall, I agree with you that writing to the clipboard, only within a click or key event processing maybe?, is likely to be a non-concern on privacy. I would love to hear others' feedback. Is maybe a first step something such as a browser-extension? Did you hear brags about users of websites that allowing copy was not a good idea? (I heard a brag close to it by TimBL and J Gruber about the usage of clipboard injection: http://lists.w3.org/Archives/Public/www-tag/2010Jun/0007.html are we close to that? I think not but maybe can such a feature get close to it?) Paul On 12 juil. 2013, at 21:57, James Greene wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events What about enabling so enabling semi-restricted programmatic clipboard injection on a page if the user grants their express permission via a once-per-domain security prompt (similar to the Geolocation API)? IOW, given a user's express permission to the origin and following a user's pointer event or keyboard interaction, I would like to be able to simulate the `copy` event (and the `beforecopy` event, if practical). I'm not quite sure how far this will go as clipboard poisoning is always a real concern. In fact, I understand that better than most, since my desire to get such an adaptation to the Clipboard API spec is the direct result of my work as the co-maintainer of the popular ZeroClipboard https://github.com/zeroclipboard/ZeroClipboard library (used by GitHub, bit.ly, and many other sites). Jon and I would like nothing better than to eliminate ZeroClipboard's dependency on Flashhttps://github.com/zeroclipboard/ZeroClipboard/issues/171 but that is unattainable given the current restrictions of this spec. If Flash doesn't live on for anything else, it may well live on longer than it should for its unmatched ability to do programmatic clipboard injectionhttp://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/desktop/Clipboard.html#setData() after a user's click or keypress. :( Thoughts? Sincerely, James Greene http://jamesgreene.net/
Re: Clipboard API: Enable `copy` event simulation with user's express permission (domain-wide)?
*Correction:* leaving it up to the browser vendors WITHOUT an agreed upon standard (or at least marching direction) means zero progress. Sincerely, James Greene On Wed, Jul 24, 2013 at 8:11 PM, James Greene james.m.gre...@gmail.comwrote: Ryosuke Anne — Agreed with Anne, leaving it up to the browser vendors an agreed upon standard (or at least marching direction) means zero progress. Sincerely, James Greene On Wed, Jul 24, 2013 at 7:32 PM, Anne van Kesteren ann...@annevk.nlwrote: On Jul 12, 2013, at 12:57 PM, James Greene james.m.gre...@gmail.com wrote: It appears that the only way to trigger a `copy` event programmatically is to use `document.execCommand('copy')`, which most browsers prevent: http://www.w3.org/TR/clipboard-apis/#integration-with-other-scripts-and-events On Wed, Jul 24, 2013 at 5:18 PM, Ryosuke Niwa rn...@apple.com wrote: I don't want the clipboard API specification to mandate one behavior or another. It's something each browser vendor should be able to decide. That's the situation we are in now and it sucks for developers. We should be able to do better. -- http://annevankesteren.nl/