News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Replace 'select' with 'copy' for code boxes

Started by Arantor, July 09, 2022, 10:12:00 AM

Previous topic - Next topic

Arantor

Back in the mists of time when we had code boxes, the little 'select' button to select the text was the best that could be done, copying to the clipboard didn't exist (outside of using Flash widgets).

But now browsers support this natively, even on mobile devices. Can we please make it so instead of 'select' it just copies to the clipboard by default since that's inevitably what you're going to be doing after having selected the text...

Arantor

As a side thought, this might need to be tempered; copy to clipboard as a browser-native function is expressly an HTTPS only action so you might have to either a) simply not do anything for HTTP-only or b) leave Select in place for those folks, and upgrade it to copy-to-clipboard on HTTPS.

Aleksi "Lex" Kilpinen

#2
Honestly, even though I agree it would be handy, I would personally prefer not to see this happen, or at least be an optional configuration item. Manually copying selected text is not a difficult task, and clipboard hijacking is a thing, a thing where when I see someone offering automatic copy functions I cringe. I do know it's not really limited to only automatic copying, but still, one of those thing's I've learned to be wary of.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

d3vcho

Well, it depends on how much text it is. The code box is meant to have code in it, and as a developer, sites that offer copy to clipboard are much better for productivity and avoid silly mistakes like forgetting to copy the closing curly bracket.

It's worth considering.
"Greeting Death as an old friend, they departed this life as equals"

Arantor

You can only put things into the clipboard on the back of a user interaction - you can't just randomly write to the clipboard or read from it, it has to be when the user does something, e.g. presses a button.

Aleksi "Lex" Kilpinen

Quote from: Arantor on July 10, 2022, 05:43:18 AMe.g. presses a button.
Yes, that's the part that I'm a bit wary of - Making the push of a button to copy data more common and expected.
That "copy" push can be manipulated to replace the contents. But like I said, I do see benefits in this as well, so basically I'm a bit conflicted.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

1) this is hardly new functionality - I had a version of this in LevGal in 2014, other platforms we're doing similar back then too (though we all did it with Flash widgets because the Clipboard API didn't exist then)

2) if hijacking is your concern, you shouldn't *ever* be copy/pasting even if you manually select the text and manually copy it, because that is just as susceptible to tampering. In fact, it's actually easier to tamper with than what I'm proposing here - has been for years. Very often used on sites to add a link back to you copying something from the page as attribution.

Aleksi "Lex" Kilpinen

I do understand that, I do. And it's not that I don't like the possibilities it offers. My thought was mostly that I can think of scenarios where this functionality might not be wanted, and so it probably would be better as an option than a default. I admit, I may be wrong.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

I can't think of a single scenario where this is a downside, personally, but better to remain with the status quo I guess.

Aleksi "Lex" Kilpinen

#9
I do wish people would understand that I am only voicing my personal views when I take part in discussions like this, and would stop treating my opinion as fact. Sorry for breaking the lock, but not the first time when this happens - and not the first time I feel I have to say this.
We are not a dictatorship, I am not a dictator.

EDIT: It is a well known fact, I'm not a huge fan of Wysiwyg editors either, yet I'm not demanding we abandon the idea.
Similar thing applies here, and partially these two things are actually very much related.
https://research.securitum.com/the-curious-case-of-copy-paste/
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Steve

Not sure who or why this is locked but I also apologize for breaking it.

FWIW, all major browsers have an autocopy addon so that when I click 'Select', the contents are automatically copied to my clipboard.
Please do not PM me for support.

Chief of Nothing

Ok, so the original topic was locked while I was typing out a reply. No biggie I thought I'd just leave it alone but then a mod made an edit pointing out research which couldn't be responded to and then another mod then added another post about the topic at hand which can't be responded to. That's just unfair so I'll have my say. There is still good discussion that could be had without anyone treading on toes or feeling like their toes have been tread upon. So...

Firstly, I am not for or against this feature, though I had wondered why it hadn't been done.

Lex, I get your concern, I truly do and every security conscious person should be cautious however how it would be done today is not how it would have been done yesterday. The research you pointed to mostly concerned pasting into the browser, and that's part of our job to sanitise that. What is being suggested is to be able to copy out of the browser in one click.

Today, browsers have built in api for clipboard operations (completeness varies -  MDN) and reading and writing the clipboard contents can be specified as text only. For our purposes that is all that would be needed and as an attack vector with changed content, an attacker would have to had compromised the site already in which case you've got bigger problems anyway.

Arantor isn't quite correct with what he wrote, unless he's thinking of a different way but like any function you can invoke the clipboard operations without user participation by firing it from DOMContentLoaded or inline scripting but that's not what we would do, we would have a button that invokes copying to the clipboard. And again, as an attack vector an attacker would have to introduce this "automatic copying" and again if that happens you've got bigger problems.

The biggest issue I could see is that the users browser might (most probably would) throw a permissions warning which they might not understand.

I'll leave it there, I've said my bit and hopefully helped you understand it a bit more with the MDN resource. I had more to say on the tempering bit but I've probably said enough for now.


Aleksi "Lex" Kilpinen

Merged, as the topic had been unlocked in the meantime.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

Quote from: Chief of Nothing on July 10, 2022, 10:51:04 AMyou can invoke the clipboard operations without user participation by firing it from DOMContentLoaded

Well, document.execCommand lets you do some things (which I alluded to though there are others involving manipulating document.getSelection() and adding ranges to it), but if you're firing it from DOMContentLoaded, there's not really a lot you can do about that from the user perspective to protect yourself, which was the point being made. You don't get to say what happens during DOMContentLoaded unless you're running NoScript or similar in the first place, so that as a line of security argument comes back to the same as mine as 'don't ever use copy/paste if you have security concerns' because you can hijack all of the other ways in insidious fashions anyway.

Thing is, that's a situation you have *anyway* regardless of my suggestion, meaning that it's irrelevant to the discussion at hand.

From my testing, Firefox and Chrome didn't put up any such permissions warnings when triggered from a user action. Because, like almost every other feature request I've put through in the last few months (while waiting to hear if any of them were even close to the roadmap, so maybe I could contribute), I have a working implementation of this. I had it even before I submitted the topic.

I guess I better remove the functionality from LevGal lest that also be accused of being a security risk.

And the reason it was locked? I realised that arguing for change, even a minor quality of life improvement, was a waste of time because it took more time to debate and defend than it did to implement a basic working version.

Aleksi "Lex" Kilpinen

Quote from: Arantor on July 10, 2022, 11:50:04 AMI guess I better remove the functionality from LevGal lest that also be accused of being a security risk.
With all due respect, I made absolutely no accusations of any kind in this topic.
I tried to bring forth a point of view, on why not every forum might want to have the functionality to begin with.
Not that the functionality is inherently unsafe in itself.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

No, I know you didn't. But people are complicated, and the assertion that 'automated copy/paste can be a security risk' can and will be taken out of context by people.

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

Similarly, your words get taken as 'the voice of management' even though I am well aware it was your own personal perspective on the matter. Trouble is, people see the badge and interpret things differently as a result.

Chief of Nothing

Quote from: Arantor on July 10, 2022, 11:50:04 AMWell, document.execCommand lets you do some things...

Well I specifically didn't mention document.execCommand as I didn't think you'd be using that method, with document.execCommand now being depreciated. If the devs do decide copy to clipboard is useful I believe the navigator.clipboard api would be the better way to go, and can be checked if supported and select given in place of copy if it isn't.

I won't address the rest of your post, not because I think your not worth replying to but because I think we'll just end up going in circles as we have done before which isn't productive to either of us except to say that all I was doing was trying to convey to Lex (who I thought was the one that locked the topic, sorry Lex) that the feature as being suggested would not be the potential security issue he may have thought it might be, and that as an attack vector for SMF an attacker would have had to have breached the forum already.

Oh, for reference, Chromium gave the permissions warning for allowing the clipboard api, Firefox didn't.

Arantor

Interesting that Chrome doesn't present the dialog but Chromium does.

Advertisement: