[Note] JavaScript Clipboard API 限制

在使用一些opensource/production的HTML editor時, 常常會發現他們所提供的copy/paste功能中的paste有問題,這是為什麼呢?

原來是因為clipboard api不能取得os clipboard內的資訊問題。

以下是參考w3.org的clipboard api spec

https://www.w3.org/TR/clipboard-apis/#h-the-paste-action

For the paste action, the script-may-access-clipboard flag depends on an implementation-specific permission mechanism for determining what sites or apps may read from the clipboard. When a paste action is triggered by a script, the implementation must not make clipboard contents available without the user's permission. If the permission has not already been granted, the permission prompt must include the hostname of the document associated with the script thread.

https://www.w3.org/TR/clipboard-apis/#h-event-handlers-that-are-allowed-to-read-from-clipboard

Synthetic paste events must not give a script access to data on the real system clipboard.

用簡短的話說
基於安全性,沒有user permission沒辦法直接access os clipboard
chrome要access clipboard的話要額外裝extension or app

p.s.安全性考量可以用以下情境去想:
假設有人很喜歡用複製貼上登入網站,
有心人在隨便一個網頁去用js get clipboard資料並回傳server,帳密就被盜了,
所以瀏覽器根本不開放權限

結論:在使用這些editor的時候直接把paste button隱藏就好囉!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s