Granting JavaScript access to the clipboard

From MozillaZine Knowledge Base
Jump to navigationJump to search

By default, JavaScript is not allowed to read or set your clipboard data for security and privacy reasons. This is because websites scripts can erase and replace what you currently have in your clipboard (data loss issue) and they can read whatever you have in your clipboard (security and privacy issue); as such, you should grant access with caution. There are, however, instances when you might want to bypass this restriction for certain sites. Rich text editors (such as implementations of Mozilla's Midas) often require access to the clipboard to use copy/paste functions. Other sites may copy useful information to the clipboard for the user to paste elsewhere.


Instead of manually setting preferences, the AllowClipboard Helper extension manages security policies with a convenient user interface and automates the steps below.

Security policies

You can also enable clipboard access by creating a security policy for the site in question. There is no built-in interface to do this, so you will need to edit user.js. You can also edit about:config, but due to a bug, you will not see the changes you've made (though they will take effect).

In user.js, add the following lines:

user_pref("capability.policy.policynames", "allowclipboard");
user_pref("capability.policy.allowclipboard.sites", "");
user_pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess");
user_pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess");

The line with capability.policy.allowclipboard.sites can have multiple websites separated by spaces, like so:

user_pref("capability.policy.allowclipboard.sites", "");

Replace "" and "" with sites you wanted to allow clipboard access.

Granting to signed scripts

Occasionally the above will not work, as the scripts that need access may use an alternate method of accessing the clipboard. To grant these privileges, which include clipboard access, to signed scripts, set signed.applets.codebase_principal_support to true via about:config. This is not recommended as you cannot limit which sites have these extra privileges.

See also

External links