Granting JavaScript access to the clipboard

From MozillaZine Knowledge Base
Revision as of 14:28, 18 December 2005 by Hao2lian (talk | contribs) (Note about data loss and security/privacy.)
Jump to navigationJump to search

By default, JavaScript is not allowed to read or set your clipboard data for security and privacy reasons. This is because websites scripts can erase and replace what you currently have in your clipboard (data loss issue) and they can read whatever you have in your clipboard (security and privacy issue); as such, you should grant access with caution. There are, however, instances when you might want to bypass this restriction for certain sites. Rich text editors (such as implementations of Mozilla's Midas) often require access to the clipboard to use copy/paste functions. Other sites may copy useful information to the clipboard for the user to paste elsewhere.

In most instances, you can enable these scripts by creating a security policy for the site in question. There is no built-in interface to do this, so you will need to edit user.js. You can also edit about:config, but due to a bug, you will not see the changes you've made (though they will take effect).

In user.js, add the following lines:

user_pref("capability.policy.policynames", "allowclipboard");
user_pref("capability.policy.allowclipboard.sites", "http://www.example.com");
user_pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess");
user_pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess");

The line with capability.policy.allowclipboard.sites can have multiple websites separated by spaces, like so:

user_pref("capability.policy.allowclipboard.sites", "http://www.example.com http://www.example.net");

(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to allow clipboard access.)

An alternative to manually setting these preferences is using the AllowClipboard Helper extension, which manages the security policy for you and gives you a convenient user interface.

Occasionally the above will not work, as the scripts that need access may use an alternate method of accessing the clipboard. This method uses signed JavaScript (a Netscape/Mozilla-specific technology), and requires that you set a preference allowing them advanced privileges.

To grant privileges (including clipboard access) to signed scripts, set signed.applets.codebase_principal_support to true via about:config or user.js. Note that this is not generally recommended, as you cannot limit which sites have these extra privileges.

See also

External links