Make sure WebXDC cannot access the clipboard

[link2xt]

See discussion at #3413 (comment)

[hpk42]

On Wed, Sep 27, 2023 at 05:48 -0700, link2xt wrote: See discussion at #3413 (comment)

i don't understand -- when i am opening the editor i *want* to be able to paste something into it. Are you suggesting to disable this ability completely?

[link2xt]

WebXDC app should not be able to access the clipboard without explicit user action. Otherwise it is possible to make an app that posts your clipboard to the public board every time you open it.

execCommand('paste') should not work: https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand

New Clipboard API require a clipboard-read permission, this should be asked for each app or disabled.

Pasting into forms is possible in any case.

[hpk42]

On Thu, Sep 28, 2023 at 02:15 -0700, link2xt wrote: WebXDC app should not be able to access the clipboard without explicit user action. Otherwise it is possible to make an app that posts your clipboard to the public board every time you open it. `execCommand('paste')` should not work: https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand New [Clipboard API](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API) require a `clipboard-read` permission, this should be asked for each app or disabled.

if i go to any https-website, can they get at the content of my clipboard in default browser? Or is that only possible for browser-controlled input/edit-fields ?

[Simon-Laux]

we can try to overwrite it, but then we have the iframe problem again:

iframe.contentWindow.document.execCommand("paste")

btw it still works in electron 26.

also the clipboard api does not work, because it's permission is denied, somehow execCommand works regardless.