Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add consideration for not allowing this before the first read #6

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add consideration for not allowing this before the first read #6

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3cddd52
Add consideration for not allowing this before the first read
zgroza Feb 17, 2025
4c299c6
Make wording less ambiguous
zgroza Feb 18, 2025
3c84d46
Wording adjustment
zgroza Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,11 +172,18 @@ danger is a new fingerprinting surface. To remediate this:
- This should be available only when the document is in focus (same as `navigator.clipboard.read()`).
- The ID returned by this should be unique to the origin calling the method and change every time the site data for it
is deleted.
- The returned promise should be rejected before the document first successfully calls `read()` or `readText()` within a
session. In particular, a browser that implements persistent clipboard permissions might just put this behind
`clipboard-read`.
Comment on lines +175 to +177
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just putting this behind clipboard-read isn't equivalent to rejecting before the document first calls read(), since that permission could be remembered from a different visit. You can probably just remove the second sentence, unless there's a use case I'm not seeing for getting the content-id before reading within a given visit?

Suggested change
- The returned promise should be rejected before the document first successfully calls `read()` or `readText()` within a
session. In particular, a browser that implements persistent clipboard permissions might just put this behind
`clipboard-read`.
- The returned promise should be rejected before the document first successfully calls `read()` or `readText()` within a
session.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this isn't equivalent, yes - but the entire idea is to forbid applications that have no business using clipboard from using this. If a site has full access to the clipboard anyway because of the persistent permission, it would make sense not to bar it from using this API.


In this way, correlation of users cross-site should be impossible based on either the number itself or the exact timing
of this number changing. Hence, this API should not provide any substantially new information to the site except a hint
when to best call `read()` so that it's optimal and user-friendly.

The last consideration will limit any attempts of using this outside of the intended use case. The driver behind this
is - sites that do not read from the clipboard should never need to use this and doing so would probably be some attempt
at abuse which user agent could mitigate.

## Alternatives

### Functionality itself
Expand Down
Loading