Reading the clipboard with every keystroke
-
-
@Gurth weird. Someone from Linked In replied:
Down in the replies this was allegedly being done to try to see if something was autocompleted. The logic was that a bunch of text showed up, and if it matched the clipboard, assume a paste, otherwise assume the browser (or app?) autocompleted it.
Why they care about that seems to be an exercise left to the reader.
-
In Pale Moon, I've had
dom.event.clipboardevents.enabled
set to false for many years (I assume it's the same setting in other Firefox-based browsers), and honestly it's freaked me out all along that somehow this isn't the default and that turning it off is buried in the advanced config preferences. I just can't imagine who spec'd out the idea of web pages reading clipboards and getting notified whenever it has new contents and thought that it was a thing that ought to happen by default.
-
@pcooper
Isn't there a site-specific setting that's set to "ask" by default? At least in Chromium-based browsers, I get a permission pop-up when websites request clipboard access.
-
@boomzilla said in Reading the clipboard with every keystroke:
Down in the replies this was allegedly being done to try to see if something was autocompleted. The logic was that a bunch of text showed up, and if it matched the clipboard, assume a paste, otherwise assume the browser (or app?) autocompleted it.
Why they care about that seems to be an exercise left to the reader.
When I read the article I began to wonder why an app would need to look at the clipboard at all unless the user specifically wants it, or perhaps when the user makes a new document (since some apps put the clipboard contents into that, if possible). Other than that, I have no idea what the app would need the clipboard contents for.
-
@Gurth said in Reading the clipboard with every keystroke:
@boomzilla said in Reading the clipboard with every keystroke:
Down in the replies this was allegedly being done to try to see if something was autocompleted. The logic was that a bunch of text showed up, and if it matched the clipboard, assume a paste, otherwise assume the browser (or app?) autocompleted it.
Why they care about that seems to be an exercise left to the reader.
When I read the article I began to wonder why an app would need to look at the clipboard at all unless the user specifically wants it, or perhaps when the user makes a new document (since some apps put the clipboard contents into that, if possible). Other than that, I have no idea what the app would need the clipboard contents for.
Agreed, for both websites and “apps” (as they share a common security expectation compared to normal desktop applications which are historically more privileged) I see no reason for this to be possible. The only thing they should be able to do is write to the clipboard and maybe read the contents after direct user interaction, although this should better be handled transparently. (“Here’s data the user pasted” instead of “the user did something, maybe check what’s in the clipboard.”)
Anything that needs more fancy access (Office on the web? Ring buffers?) can reimplement it locally inside the app without gaining additional privileges. Everybody badly reimplementing native functionality in JS is already standard practice, no need to give up security here.Interesting that they mention password managers. Basically this sounds like: if you’re not using your browser’s password manager and it’s using the clipboard to communicate (instead of other mechanisms like synthesizing keyboard input) you better not have any other websites open or they can steal your password.
-
@topspin said in Reading the clipboard with every keystroke:
Agreed, for both websites and “apps” . . . I see no reason for this to be possible.
So far, everyone who has been called out for doing this has said they are going to "fix" it. But it still doesn't change the fact that they had no legitimate reason for doing it in the first place, and they are only changing it now that they have been caught doing something a bit sketchy.
-
@El_Heffe said in Reading the clipboard with every keystroke:
they have been caught doing something a
bitlot sketchy.FTFY
-
@Gurth said in Reading the clipboard with every keystroke:
@boomzilla said in Reading the clipboard with every keystroke:
Down in the replies this was allegedly being done to try to see if something was autocompleted. The logic was that a bunch of text showed up, and if it matched the clipboard, assume a paste, otherwise assume the browser (or app?) autocompleted it.
Why they care about that seems to be an exercise left to the reader.
When I read the article I began to wonder why an app would need to look at the clipboard at all unless the user specifically wants it, or perhaps when the user makes a new document (since some apps put the clipboard contents into that, if possible). Other than that, I have no idea what the app would need the clipboard contents for.
Well, I actually had a use case for it once. I had validation on a textbox that was only supposed to accept numbers. I could stop keypresses events like anybody halfway competent. But to prevent pasting characters, I had to read the clipboard, set a modified copy, let the paste event happen, and restore the original contents. Because God forbid the clipboard being pasted be provided as an argument or something. I only ever got that to work halfway reliably in one browser. Guess which one. Anyway, browser paste events are pretty broken and I stopped giving a damn about that failed project anyway so I quit.
-
@El_Heffe said in Reading the clipboard with every keystroke:
But it still doesn't change the fact that they had no legitimate reason for doing it in the first place
They've got away with the other 50 extremely intrusive practices they had no legitimate reason for doing that they've nevertheless been doing for a decade (contacts access anyone?). I am actually shocked that any company at all has even answered the question of why they're doing this. If I was less cynical, I might've even said that this might be a sign that people are finally becoming more aware of privacy and security.
Just think about it - how long ago have these APIs been publicly available?
-
@Zenith said in Reading the clipboard with every keystroke:
Well, I actually had a use case for it once. I had validation on a textbox that was only supposed to accept numbers. I could stop keypresses events like anybody halfway competent. But to prevent pasting characters, I had to read the clipboard
Why not just check it when the user ends editing the contents? Just please don’t do it like Adobe:
(Typical cause of this very annoying error window: you want to, say, move an object a 1 point to the right, so you type “+1 pt” after the current x-coordinate and press Return, but make a typo, like hitting Return before typing the t.)@Gąska said in Reading the clipboard with every keystroke:
Just think about it - how long ago have these APIs been publicly available?
Since March 2008, I suppose? So it’s taken twelve years for anyone to actually notice, and even then only because the beta of the upcoming version of iOS warns you when an app reads clipboard data.
-
@Gurth still, I expected people to accept the notifications without question as the new annoyance to deal with and think nothing of, just like cookie notice - and now full-page GDPR notice - that everybody just mindlessly clicks through.
Speaking of GDPR notices - I'm still shocked just how many "partners" a typical medium-large website has.
-
@Zenith said in Reading the clipboard with every keystroke:
Guess which one
Oh! Oh! I know!
Was it Netscape 4.0?
-
@Gurth said in Reading the clipboard with every keystroke:
Why not just check it when the user ends editing the contents? Just please don’t do it like Adobe:
Because I wanted it to be seamless. Simply not pasting the invalid characters in the first place prevented having to nag about them later.
And no, I'm not stupid enough to put up a message box anywhere but at submission. They're irritating as hell when they're all over the place. That sort of crap is what happens when you have some idiot that doesn't realize the code is part of a process and just think "I am being doing only what is being in the ticket of needful."
@Tsaukpaetra said in Reading the clipboard with every keystroke:
Oh! Oh! I know!
Was it Netscape 4.0?Bzzt! Internet Explorer. The only sane browser because it's not trying to force you to do some hipster's bidding because reasons.
: Here are the layout rules. They'll never change unless we find an actual bug.
: We, the Council of Hipsters, hate tables and other HTML4 tags because reasons. So we'll keep fucking them up until you do what you're told and use DIVs for everything. But we'll never make any of these thoughtless kludges work the way you actually need them to because it is not needful to being doing.
-
@Zenith said in Reading the clipboard with every keystroke:
: Here are the layout rules. They'll never change unless we find an actual bug. Also anyone from anywhere can execute arbitrary executables!
-
@Zenith said in Reading the clipboard with every keystroke:
Bzzt! Internet Explorer. The only sane browser because it's not trying to force you to do some hipster's bidding because reasons.
It's not sane it's just awful in different ways.
-
@Zenith said in Reading the clipboard with every keystroke:
trying to force you to do some hipster's bidding because reasons.
Is it though?
-
@Zenith said in Reading the clipboard with every keystroke:
. Simply not pasting the invalid characters in the first place prevented having to nag about them later.
Most implementations I've seen simply reject invalid characters onChange, so if you didn't paste any numbers nothing happens, and the people who copy numbers with shit in them (like tabs, commas, and spaces) get filtered out and what is expected to happen happens.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@Zenith said in Reading the clipboard with every keystroke:
"trying to force you to do some hipster's bidding because reasons."Is it though?
So far no man buns so I'm ok.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@Zenith said in Reading the clipboard with every keystroke:
. Simply not pasting the invalid characters in the first place prevented having to nag about them later.
Most implementations I've seen simply reject invalid characters onChange, so if you didn't paste any numbers nothing happens, and the people who copy numbers with shit in them (like tabs, commas, and spaces) get filtered out and what is expected to happen happens.
onkeypress
onkeydown
onkeyup
onblur
onchange
onpasteI threw together a sample page and tested with IE8 only (). OnChange isn't really on all changes, just those that occurred with focus engaged and only after focus is lost. Also not sure if this was the case at the time (or with non-IE browesers) but filtering after the fact doesn't help you with an 8-character field when you copied 9 characters.
-
@Zenith said in Reading the clipboard with every keystroke:
an 8-character field
Ah, you're using the
maxlength
attribute? How quaint! You're filtering already and overriding the browser's handling, don't slap yourself in the face a second time!
-
@Tsaukpaetra It's just amazing how much is so trivial in WinForms and so stupidly difficult/half-baked in a browser. How the hell did the browser end up being the only platform anybody develops anything for?
-
@Zenith said in Reading the clipboard with every keystroke:
@Tsaukpaetra It's just amazing how much is so trivial in WinForms and so stupidly difficult/half-baked in a browser. How the hell did the browser end up being the only platform anybody develops anything for?
It's the closest anyone has gotten to a truly platform-independent way of running arbitrary applications on the widest array of operating systems and machines.
Edit: Hell, if Microsoft cared enough to have ported .Net to Mac and Linux back in the day the browser probably wouldn't have even evolved further than a nifty way to read books.
Edit edit: For those who want to skip a pointless bicker, click here
-
@Zenith The thing is that HTML is not a language for designing UI in. It's a language for designing a document in. It's really, really great at designing documents and I'm surprised how well it's done in that regard. This is not to say you can't design a user interface in HTML; it's got all the necessary tools. But you will definitely meet with friction if you try to. Such as the fifty lines of CSS and miscellaneous divs for putting two things next to each other.
And as for how the browser ended up being the primary development target: because everyone already has it on their computer, or even their phones. It's the new write-once-run-everywhere, except users don't even have to download it, or at least not from their perspective. The problem is not web; web as a delivery platform is great. The problem is that there's only one language with which you can write web.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
Edit: Hell, if Microsoft cared enough to have ported .Net to Mac and Linux back in the day the browser probably wouldn't have even evolved further than a nifty way to read books.
Bull. .NET may be much better to use from a programmer's perspective, but from a user's perspective it's indistinguishable from Java, which is usually indistinguishable from a regular program, and that's been around since 1995. It's not about platform compatibility, it's about instant feedback and discoverability.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
Edit: Hell, if Microsoft cared enough to have ported .Net to Mac and Linux back in the day the browser probably wouldn't have even evolved further than a nifty way to read books.
Bull. .NET may be much better to use from a programmer's perspective, but from a user's perspective it's indistinguishable from Java, which is usually
indistinguishable fromsomewhat similar to a regular program, and that's been around since 1995. It's not about platform compatibility, it's about instant feedback and discoverability.I could always tell when I was stuck with a Java program from 1995-2005 because of how awful their litany of weird UI frameworks was.
-
@pie_flavor said in Reading the clipboard with every keystroke:
from a user's perspective it's indistinguishable from Java
I can double-click an EXE file in .Net and it will seamlessly work or prompt me to automatically install the required package to make it work (in Windows, natch). I cannot double-click a .class file (or practically any other java program) and expect it to work without a ton of fiddling or relying on a launcher that does that for me.
@pie_flavor said in Reading the clipboard with every keystroke:
it's about instant feedback and discoverability.
I don't understand what you mean. A button is a button and a textbox is a textbox. What's undiscoverable about that?
UI design sucks whatever language you use, that's not the language's fault.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I cannot double-click a .class file (or practically any other java program) and expect it to work without a ton of fiddling or relying on a launcher that does that for me.
The problem is definitely on your end, because installing Java associates it with .jar files, you know, like normal programs do for the files they use.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I cannot double-click a .class file (or practically any other java program) and expect it to work without a ton of fiddling or relying on a launcher that does that for me.
The problem is definitely on your end, because installing Java associates it with .jar files, you know, like normal programs do for the files they use.
And clicking them usually results in some error about not finding something or another.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I don't understand what you mean. A button is a button and a textbox is a textbox. What's undiscoverable about that?
Discoverability of websites. Not of the individual elements of the interfaces of websites.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I don't understand what you mean. A button is a button and a textbox is a textbox. What's undiscoverable about that?
Discoverability of websites. Not of the individual elements of the interfaces of websites.
Sounds like an implementation detail, which I said before. I can make a Java or a .Net application equally undiscoverable (and perhaps even more easily!), and that proves nothing.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I cannot double-click a .class file (or practically any other java program) and expect it to work without a ton of fiddling or relying on a launcher that does that for me.
The problem is definitely on your end, because installing Java associates it with .jar files, you know, like normal programs do for the files they use.
And clicking them usually results in some error about not finding something or another.
And what the something or other is will be informative in whether this is genuinely a problem with Java, or just the standard problem with you breaking your computers.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I don't understand what you mean. A button is a button and a textbox is a textbox. What's undiscoverable about that?
Discoverability of websites. Not of the individual elements of the interfaces of websites.
Sounds like an implementation detail, which I said before. I can make a Java or a .Net application equally undiscoverable (and perhaps even more easily!), and that proves nothing.
You seem to interpret me as saying websites are less discoverable, not more. Unless "equally undiscoverable" is a delayed gag so you can tell me "that means the same thing as equally discoverable".
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I cannot double-click a .class file (or practically any other java program) and expect it to work without a ton of fiddling or relying on a launcher that does that for me.
The problem is definitely on your end, because installing Java associates it with .jar files, you know, like normal programs do for the files they use.
And clicking them usually results in some error about not finding something or another.
And what the something or other is will be informative in whether this is genuinely a problem with Java, or just the standard problem with you breaking your computers.
Alright, I'll bite. Lemme set up a fresh VM with the latest Java and see what happens if I double-click
minecraft.jar
. For a speedier installation I'll be using Windows 7 for this.
-
@Tsaukpaetra possibly the worst example since it requires a terminal to be useful or give any feedback, but sure, go ahead if you want. Otherwise the installer for Minecraft Forge is a much better test.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I don't understand what you mean. A button is a button and a textbox is a textbox. What's undiscoverable about that?
Discoverability of websites. Not of the individual elements of the interfaces of websites.
Sounds like an implementation detail, which I said before. I can make a Java or a .Net application equally undiscoverable (and perhaps even more easily!), and that proves nothing.
You seem to interpret me as saying websites are less discoverable, not more. Unless "equally undiscoverable" is a delayed gag so you can tell me "that means the same thing as equally discoverable".
You trying to turn this into a garage topic? Because I've been meaning to practice my skills.
You said:
@pie_flavor said in Reading the clipboard with every keystroke:
It's not about platform compatibility, it's about instant feedback and discoverability.
I'd argue that a heavily CSS'd website is definitely less discoverable than a standardized app that uses the OS's GUI toolkit to match every other native app.
Take your favorite forum software for example. What is definitely a button, what is a link, what does things when you click on them and what interesting and unexplained things can happen simply by moving the mouse around?
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra possibly the worst example since it requires a terminal to be useful or give any feedback, but sure, go ahead if you want. Otherwise the installer for Minecraft Forge is a much better test.
Okay, give me any other .jar I can download (not something with an .exe wrapper, mind you, because yes, Forge also has a wrapper) that I can double-click then.
-
@Tsaukpaetra again: by discoverability, I was referring to that of a webpage itself, not of the individual elements in it. FWIW, a nontechnical user does not really care about the difference between a button and a link other than being slightly concerned about form data being lost.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra again: by discoverability, I was referring to that of a webpage itself, not of the individual elements in it.
Then I have lost your point, whatever you are trying to make.
FWIW, a nontechnical user does not really care about the difference between a button and a link other than being slightly concerned about form data being lost.
Implementation detail, and again, besides the actual point.
-
@Tsaukpaetra Forge has an EXE wrapper, but it also has the JAR directly.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra again: by discoverability, I was referring to that of a webpage itself, not of the individual elements in it.
Then I have lost your point, whatever you are trying to make.
I can repeat it a third time if you'd like.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra Forge has an EXE wrapper, but it also has the JAR directly.
Lest I repeat myself, yes, some programs can get this right out the gate. I have not had this experience with most java programs, and I invite you to find me one that's not Minecraft that comes without a wrapper that I can double-click on and have it run.
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra again: by discoverability, I was referring to that of a webpage itself, not of the individual elements in it.
Then I have lost your point, whatever you are trying to make.
I can repeat it a third time if you'd like.
I don't want you to repeat, because I can parrot the same thing back and waste time. Your point is unclear, repeating the same thing does not make an unclear statement clearer.
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra Forge has an EXE wrapper, but it also has the JAR directly.
Lest I repeat myself, yes, some programs can get this right out the gate. I have not had this experience with most java programs, and I invite you to find me one that's not Minecraft that comes without a wrapper that I can double-click on and have it run.
I wouldn't count the Forge installer as "Minecraft". But sure. Bearded Octo-Nemesis 2, a tool for deobfuscating code.
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra again: by discoverability, I was referring to that of a webpage itself, not of the individual elements in it.
Then I have lost your point, whatever you are trying to make.
I can repeat it a third time if you'd like.
I don't want you to repeat, because I can parrot the same thing back and waste time. Your point is unclear, repeating the same thing does not make an unclear statement clearer.
Certainly makes it louder, though.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra Forge has an EXE wrapper, but it also has the JAR directly.
Shits and giggles, let's do it, why not.
Looking OK, except I'm stuck because now I need to get the minecraft launcher. Failed right out the gate in doing its installing, but at least it's not Forge's fault because natch it's supposed to overlay an installed program and isn't standalone.
What about Server?
Hey this one does the needful! Why couldn't it do that for the Client install? Who the fuck knows...
-
@pie_flavor said in Reading the clipboard with every keystroke:
Certainly makes it louder, though
Not really.
@pie_flavor said in Reading the clipboard with every keystroke:
I wouldn't count the Forge installer as "Minecraft". But sure. Bearded Octo-Nemesis 2, a tool for deobfuscating code.
Sure! Let's do it!
Whomp wah.@pie_flavor said in Reading the clipboard with every keystroke:
And what the something or other is will be informative in whether this is genuinely a problem with Java, or just the standard problem with you breaking your computers.
Genuinely a problem with Java I guess. Can't tell, who knows.
-
@Tsaukpaetra Probably have to update Java.
Hey, I never said it was perfect. And you went with an outdated OS on purpose, while the tool is modern.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra Probably have to update Java.
I literally got the latest version straight from Oracle, unlesse jre-8u251-windows-i586 isn't that.
Hey, I never said it was perfect. And you went with an outdated OS on purpose, while the tool is modern.
I'm waiting for Windows 10 to "One moment, getting a few things ready".
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
Hey this one does the needful! Why couldn't it do that for the Client install? Who the fuck knows...
I the fuck knows. Licensing restrictions. The vanilla server is a publicly available download on the Mojang website. In contrast, the vanilla client is only accessible if you have been authenticated as a legitimate game owner.
-
@pie_flavor said in Reading the clipboard with every keystroke:
@Tsaukpaetra said in Reading the clipboard with every keystroke:
Hey this one does the needful! Why couldn't it do that for the Client install? Who the fuck knows...
I the fuck knows. Licensing restrictions. The vanilla server is a publicly available download on the Mojang website. In contrast, the vanilla client is only accessible if you have been authenticated as a legitimate game owner.
And yet both options had red text surrounding them but one actually succeeded. Discoverable!
-
@Tsaukpaetra said in Reading the clipboard with every keystroke:
I'm waiting for Windows 10 to "One moment, getting a few things ready".
Goddam I forgot how long this takes on HDD...
Edit: Ah shit I just realized this is 1909, it's not up-to-date so therefore I can't assume this "modern tool" will work. Fuck.
30+ is still several I guess...