Chrome 104 version brings a new bug: websites can write to the user’s clipboard without any user gesture conditions.

The clipboard is what we usually copy and paste, and it may store some very important information, such as passwords or public keys, and verification codes.Generally speaking, a web page should use the clipboard only when the corresponding user gesture is queried, such asKeyboard shortcuts for copying content (Ctrl+C), or long-pressing text boxes on mobile.

However Chrome 104 version deleted the judgment of user gesture conditions,lead to websiteexistwithout any promptReplace the data in the clipboard, which is very dangerous,It may cause important information to be overwritten, or some spam information to be maliciously written.

Chrome developers have discovered this issue, but it has not yet been fixed, and it still exists in the current version of Google Chrome, both mobile and PC.

In addition, some Chrome users will randomly copy the page’s style code, page URL and other content when copying text on a webpage (depending on what the website wants to put on your clipboard).and the whole processThere are no visible instructions or user interaction: I just wanted to copy a word, but when you open the clipboard, it’s filled with all kinds of content.

Developer Jeff Johnson conducted a detailed analysis of the bug and made a demo website for the bug. Visit https://webplatform.news/ with Chrome 104 and above, and the following text will appear on your system clipboard:

Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github .com/w3c/clipboard-apis/issues/182.

Hello, this message appeared in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for any inconvenience caused. See https://github.com/w3c/clipboard-apis/issues/182 for more information on this issue.

I have tested it inno hintsmy system clipboard was written to the above by the website.

Also, you might think that browsers only turn on clipboard permissions for copy-paste, however in Jeff Johnson’s test, the following DOM events all grant the web page permission to overwrite the system clipboard using the clipboard API:

• click
• copy
• cut
• focusout
• keydown
• keyup
• mousedown
• mouseup
• pointerdown (desktop only)
• pointerup (desktop only)
• selectstart

Clicking on a link or scrolling down a page counts as completely unrelated commands, so to speak: when you move the mouse on a web page, it has permission to put something on your clipboard.

And that’s not a feature of Chrome, The same goes for Safari (desktop and mobile) and Firefox.