reminder: 2402 dom.allow_cut_copy

[Thorin-Oakenpants]

!remind me in 500 days

current: - both in TB are at default true

/* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
 * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
 * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
 * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one
 * is default false) then enabling this pref can leak clipboard content [1]
 * [1] https://bugzilla.mozilla.org/1528289 */
   // user_pref("dom.event.clipboardevents.enabled", false);
/* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
 * this disables document.execCommand("cut"/"copy") to protect your clipboard
 * [1] https://bugzilla.mozilla.org/1170911 ***/
user_pref("dom.allow_cut_copy", false);

I've been down this road before, but let's I'll start again to definitively work out if anything is a concern here

• https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API
• clipboard API (2402) been around since FF63

I'm more concerned about the older execCommand

[Thorin-Oakenpants]

note to self: there's a difference between sniffing and social engineering

[Thorin-Oakenpants]

bugzillas

• 1680892 Clipboard content stealing by tricking the user into pressing Ctrl + V on a hidden input
• 363132 By making Cut/Copy shortcut fail, a site can see your clipboard with little cooperation
• 1528289 Middle click-hold-release fires paste event after autoscrolling
• 1515783 Paste listener should not fire on middle-click; can silently leak clipboard data on routine user actions

something to think about

• 1192066 Clear clipboard when using "Copy Password" in about:logins

[Thorin-Oakenpants]

Note to self: happy to keep dom.allow_cut_copy as false: the new (universal) clipboard API has been implemented since FF63 2018-10-23 which by my counting is a two and a half years - so I doubt there is much breakage

As for clipboard API, I have questions over read/write changes in 87+ .. but AFAICT, the security is as tight as can be (cross-origin etc) and it all comes down to meatware (the human element as compared to hardware/software)

[Thorin-Oakenpants]

Finally had some clarity on this issue after wondering for years just what the threat and risks were here

What they do

• dom.allow_cut_cop: is only cut/copy = old gecko shit before Clipboard API
• dom.event.clipboardevents.enabled : cut/copy/paste = Clipboard API (which is a standard since FF40ish or something) - so this is what websites use, cross browser support

What else

• Both require user interaction, but the Clipboard API can be fingerprinted without user interaction
• On copy: no one cares. It was already on the the webpage, so what if you copy or cut something. It's not going to be used to track you on the web.
• On paste: this event only fires on editable, focused (and thus visible) fields - and you have to actually go ctrl-v, or right-click and paste etc

What's the threat

• pasting: opsec/trickery and a couple of bugzillas: see above
• there could be an argument made for keeping the OS clipboard isolated from the browser. At this point, you should use AppAmour, SandBoxie, a VM - basically, this is out of scope for the user.js

Decision made

• removed dom.allow_cut_cop
• moved to the new don't bother section: dom.event.clipboardevents.enabled
  • for the record: it's been inactive since v75
  • maybe it could go under optional hardening: but you'll have to convince me

[fxbrit]

thanks, very useful stuff.

Clipboard API can be fingerprinted without user interaction

out of curiosity, it could do so with either the read or the write method from my understanding. but wouldn't users notice and maybe freak out a bit?

[Thorin-Oakenpants]

IDC if they freak out, the info in the user JS says "don't bother" with a handy [WHY] ... the fingerprinting is simply the existence of navigator.clipboard

[magnus-ISU]

I was initially unsure if dom.event.clipboardevents.enabled shouldn't be an optional hardening, but after reading the bugzilla and thinking about it, I think you're right.

Just to double check, the fingerprinting isn't mitigated by that setting, right? And the only thing it really protects you from is manually pasting into a malicious field, or a website maliciously clearing/filling your clipboard?

[Thorin-Oakenpants]

the fingerprinting isn't mitigated by that setting

The fingerprinting is binary and comes from if clipboard API is enabled or disabled

[Thorin-Oakenpants]

the only thing it really protects you from is ...

For sure, blocking off the OS clipboard would help prevent any clipboard "accidents" (and edge case bugs), but I don't see any difference between pasting into a malicious field vs typing in one, TBH. If you use a password manager, then that certainly helps mitigate this sort of thing (for passwords and I think user login names as well) - i.e, you would be like, umm, where is my login suggestion, that's weird?

I don't think sites would bother spamming your clipboard with junk, I don't see the point. And they can't clear your OS clipboard (or just read from it willy nilly)

[Thorin-Oakenpants]

re-opening as a reminder to double check this

• https://blog.mozilla.org/security/2021/12/15/preventing-secrets-from-leaking-through-clipboard/
• from 93-94 diffs - pref("clipboard.copyPrivateDataToClipboardCloudOrHistory", false); - 1730194

[Thorin-Oakenpants]

https://hg.mozilla.org/releases/mozilla-release/rev/c13cadb3b0e0dc2fb2a0f0d0568ab671b738f7ad

• default false is what we want