[Note] JavaScript Clipboard API 限制

在使用一些opensource/production的HTML editor時, 常常會發現他們所提供的copy/paste功能中的paste有問題,這是為什麼呢?

原來是因為clipboard api不能取得os clipboard內的資訊問題。

以下是參考w3.org的clipboard api spec


For the paste action, the script-may-access-clipboard flag depends on an implementation-specific permission mechanism for determining what sites or apps may read from the clipboard. When a paste action is triggered by a script, the implementation must not make clipboard contents available without the user's permission. If the permission has not already been granted, the permission prompt must include the hostname of the document associated with the script thread.


Synthetic paste events must not give a script access to data on the real system clipboard.

基於安全性,沒有user permission沒辦法直接access os clipboard
chrome要access clipboard的話要額外裝extension or app

有心人在隨便一個網頁去用js get clipboard資料並回傳server,帳密就被盜了,

結論:在使用這些editor的時候直接把paste button隱藏就好囉!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s