A Firefox surprise from disabling dom.event.clipboardevents.enabled

April 16, 2021

One of the things that browsers allow sites to do with JavaScript is to intercept and manipulate attempts to copy text out of them or paste text into them. Websites use this to do obnoxious things like stop you pasting email addresses and passwords into their forms or mangling the text you copy out (via, and this is potentially a security risk since what you think you're going to paste is not necessarily what you actually get). When I heard about this at some point (I'm not sure when, but it was no later than mid 2016), I went into about:config in all of my Firefox instances and disabled the dom.event.clipboardevents.enabled preference, which makes Firefox ignore Javascript attempts to interfere with cut and paste. Everything went along fine for years and years, with no visible downside, and I completely forgot about it.

(According to some searching of MDN, this controls HTMLElement.oncopy, HTMLElement.onpaste, and HTMLElement.oncut.)

Recently I wanted to copy some Grafana panels from one Grafana server to another, which in the modern web application way you do by viewing the JSON that defines the panel, copying it to the clipboard, going to the tab with your dashboard on the other server, and pasting in the JSON to overwrite the configuration of some victim panel. Old versions of Grafana had a handy 'copy to clipboard' button that did this for you, but in 7.5 you have to do it by hand. the menu item). Whenever I did this, I got mangled text, with most of the JSON elided and replaced with a '…' Unicode character.

After help from several people and experimentation with a completely clean Firefox profile, I narrowed this down to having dom.event.clipboardevents.enabled disabled. I don't know exactly what Grafana is doing here with its HTML, DOM, CSS, and JavaScript, but apparently it absolutely has to post-process the text when it's copied or you get something that isn't even the text being currently displayed on the screen, much less the full JSON that you need.

In light of this glitch (and because working with Grafana is somewhat important for me), I've reverted this preference to its default enabled state. In my main Firefox, this is pretty harmless because I have JavaScript almost entirely disabled through uMatrix, so websites can't intercept my cut and paste in the first place. In the Firefox profile I have to run all the sites that need JavaScript, I will have to hope that I don't run into any that refuse to let me paste or copy text; if I do, I will have to temporarily toggle the preference again. Hopefully the increase in password managers has made websites less silly about pasting things into form fields.

(Via this article I found a suggestion of the Luminous addon, but brief experimentation suggests that something like Grafana is completely beyond the ability of an addon like this to do anything sensible with.)

(This elaborates on some tweets. I'm not sure I'd know about Ctrl-A and Ctrl-C before, although I really should have; they're right there in Firefox's 'Edit' menu. Which I almost never look at.)


Comments on this page:

By Anonymous at 2021-04-17 06:11:43:

I'm not sure I'd know about Ctrl-A and Ctrl-C before

In the Microsoft world, CTRL-A, CTRL-C and CTRL-V are so common that I cannot even remember living without them: it wouldn't surprise me in the slightest if these go all the way back to early versions of MS-Windows (3.1).

Written on 16 April 2021.
« Learning about the idea of the HTTP self-post
My view of Wayland here in 2021 »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Apr 16 23:42:42 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.