clipboard access
Hi folks,
Im thinking of switching browsers from IE10 to firefox. In IE10 I could control programmatic clipboard access by disabling it, and therefore stop websites from capturing any text/data I have stored in the local clipboard.
What does firefox do to stop this exploit? I am checking security functions of browsers before I switch.
Many thanks.
Chosen solution
Can you guys name some legitimate reasons that a website might need dom.event.clipboardevents.enabled to be set to true? I mean, something that would actually affect functionality?
(No, stopping me from using copy/paste or, worse, putting ads in my clipboard do not count as legitimate, functional uses.)
Read this answer in context 👍 0All Replies (15)
hello, firefox will block access to the clipboard by default: http://kb.mozillazine.org/Granting_JavaScript_access_to_the_clipboard
That's reassuring to know. Just for clarity, and please forgive my ignorance but I take it Firefox is a Mozilla product, so the link you gave me applies to Firefox.
Many thanks.
Chimp.
yes, this applies to firefox. mozillazine is a community-run site which has lots of documentation & support ressources about mozilla products...
Thank you kindly for your quick and concise response! ;o)
Note that you can use keyboard shortcuts if buttons on web pages aren't working, so you usually do not need to make changes and allow clipboard access.
- Copy: Ctrl+C or Ctrl+Insert (Mac: Command + C)
- Paste: Ctrl+V or Shift+Insert (Mac: Command + V)
- Cut: Ctrl+X or Shift+Delete (Mac: Command + X)
Many thanks!
You might also be interested in the ability of websites to see and react to your manual clipboard actions (cut, copy, paste). To block sites from being able to see those actions, you can switch a preference.
But first, please note... By changing this setting, you gain in privacy and possibly security, but you sacrifice a bit of functionality on some sites that use these features to improve the behavior of some types of editors. It also breaks some features of Firefox's own Scratchpad developer tool. You have to decide whether this is an acceptable trade-off.
Here's how:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box that appears above the list, type or paste clip and pause while the list is filtered
(3) Double-click dom.event.clipboardevents.enabled to flip the value from true (the default) to false.
More on this preference:
You can look at this extension to toggle the above mentioned dom.event.clipboardevents.enabled pref:
- Disable clipboard manipulations: https://addons.mozilla.org/firefox/addon/nocopypaste/
Modified
Guys, you are confusing me now.
As I understand it Firefox by default does not allow *reading* of clipboard data by websites (for security reasons). Are you just telling me about normal copy and paste functions used in the browser?
Many thanks.
Chimp.
Its ok folks, im not confused now. Firefox disables the reading of the clipboard by default -:
"By default, JavaScript is not allowed to read or set your clipboard data for security and privacy reasons"
http://kb.mozillazine.org/Granting_JavaScript_access_to_the_clipboard
And the dom.event.clipboardevents Allows you to stop websites seeing and reacting to cut,copy and paste actions etc.
Makes sense now, many thanks.
You beat me to it.
Hi Chimp, the last two posts relate to clipboard events that sites can use to trigger a script when you copy or paste. For example, let's say you select and copy some text from a site and then paste it somewhere else, and surprisingly, what you pasted includes a link back to the original article. This is accomplished by detecting that you are copying from the page and invisibly altering the content of your selection. Other sites might try to cancel your copy without an intrusive warning message. What I think is potentially more insidious is sites tracking what you copy as part of their building a profile for targeted advertising. I'm not aware of anyone doing it, but I can't imagine sites would ignore the possibility of learning even more about us.
Modified
Yes indeed,
All manner of data collection can be employed. Its quite interesting in the light of PRISM and the NSA scandal, that most people have become much more aware of security and personal data. A kind of organic evolution is occuring between the bad guys, and the user.
The more the security agencies push, the more secure the users become (i hope)
Cheers.
Chosen Solution
Can you guys name some legitimate reasons that a website might need dom.event.clipboardevents.enabled to be set to true? I mean, something that would actually affect functionality?
(No, stopping me from using copy/paste or, worse, putting ads in my clipboard do not count as legitimate, functional uses.)
Hi there,
I suppose a website based editor may need to monitor clipboard events for data management. I.e, perhaps you need to undo a copy and paste action, therefore the online web app needs to see what the clipboard is doing.
But outside of those reasons, i just disable all clipboard based option for safety.
Hope this helps.
Chimp.
Hello all. Please see my topic #1684 on the Custom Buttons forum for a solution in the form of a custom button to toggle the user preference and make the user aware by CSS customisations. It's not finished yet, but it is functional (and I may have forgotten to post here otherwise).
http://custombuttons.sourceforge.net/forum/viewtopic.php?f=6&t=1684