return to table of content

Don't fuck with paste

koenraad
61 replies
10h6m

By disabling user input the application security actually gets worse. Users that can’t copy e.g. passwords will use less complex passwords to overcome the trouble of typing in their initially good passwords. But also user experience is degrading when applications enforce complex input and users generate that input like a chad as they should. But now they cannot paste…

globular-toast
55 replies
9h54m

I'll add to that systems that require particular characters to be used, like "must use capital, number and special character". I prefer to generate longer passwords but using only regular characters because I find it easier to type on the occasions I do have to do that.

Even worse, there are some that restrict what kind of special character you can use. So even when I've generated one I still have to edit to remove one particular character.

Would it really be that difficult to display password strength and say things like "use more characters, e.g. you could use four words".

_0ffh
20 replies
9h40m

Even worse, there are some that restrict what kind of special character you can use

Even worse, there are some that restrict special characters, but don't tell you which!

Now you've got to go trial and error to find out which of the special characters in your password is not acceptable to that precious §("/$& website!

piyush_soni
15 replies
9h16m

Even worse, when on top of all these they add an arbitrary length requirement: It can't be less than 8 letters OR more than 12. :|

lapcat
3 replies
6h26m

Several comments mention passwords getting silently truncated by input maxlength. FWIW my extension provides a visible warning when this occurs: https://underpassapp.com/StopTheMadness/

encom
1 replies
3h20m

Proprietary, mac only, app store-ware. More madness.

lapcat
0 replies
2h45m

mac only

Also iOS.

a_vanderbilt
0 replies
3h49m

I love this extension so much. Nothing satisfies me more than forcing stupid websites into cooperation.

cdr
2 replies
8h23m

Even worse, some will simply arbitrarily silently truncate the password. But not everywhere! The sign up page might silently truncate and then the actual login page might not.

piyush_soni
1 replies
8h12m

Wow. That would be a wonderful game of treasure hunt. Fortunately I've not come across that so far :D

_0ffh
0 replies
6h45m

What happened to me once is that a long-time password of mine got truncated as the website lowered it's maximum password length, and the login page didn't truncate, so my full correct password suddenly stopped working. The pain.

anshorei
2 replies
8h12m

Even worse, when the password has an arbitrary length requirement of 20, but the site doesn't tell you and just cuts of any trailing characters exceeding the requirement during account creation.

You have no idea how long it took me to figure that one out.

tomsmeding
0 replies
7h27m

That sounds suspiciously like a VARCHAR(20) somewhere...

thedanbob
0 replies
6h28m

Slightly easier to figure out but no less annoying is when the maxLength attributes on the password fields for the two forms (create account and login) are different.

oneeyedpigeon
1 replies
9h8m

"look, just tell me what you want my password to goddam be, and I'll go with that!"

dwighttk
0 replies
6h9m

“Sure but you can’t copy it out”

tracker1
0 replies
8h44m

That one irks me too... When I built an auth/rbac app previously I did make Max length configurable and it would display a night if set. I set a hidden hard limit to 1k only to reduce attack surfaces that would only display and error if exceeded.

Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"

I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.

I really wanted to open source the application but couldn't get approval to do so.

It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.

If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.

The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.

Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.

Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.

rmetzler
0 replies
8h36m

Don’t worry, all of this is necessary because the passwords are stored in plain text in the database.

zamalek
2 replies
7h40m

Even worse are "secure answers." Aka osint. I just have my password manager create passwords for those too.

Mordisquitos
1 replies
3h20m

Are you referring to 'security questions' where the user must choose from a predetermined list? A predetermined list which is often questions whose answers may be know to close attackers (first school), not applicable to everyone (name of first pet), or anglocentrically blind to worldwide cultural diversity (mother's maiden name). I hate that so much.

Providing a list is fine as long as they let the user type their own question if they want to. I cannot trust the security of a single one of their crap questions if I were to answer them honestly. However, if they let me type my own question, I can absolutely guarantee it.

zamalek
0 replies
2h17m

Yeah those. I choose them in order, no matter the subject, and put a password manager passphrase in.

tiltowait
0 replies
2h13m

The worst I've seen have uncommunicated password length maximums—but don't error when you exceed them. Instead, they just truncate your password, but only on creation. When authenticating, they don't truncate, so your password you just made with a password manager is "wrong".

Spotify did/does this. Made canceling my free trial really tricky, because I needed to log in again to do so.

Y-bar
11 replies
8h19m

Even Apple was so annoyed at this themselves that they actually went for a full open-source open-for-contributions GitHub repository at https://github.com/apple/password-manager-resources to get around these issues.

Many password managers generate strong, unique passwords for people so that they aren't tempted to create their passwords by hand, which leads to easily guessed and reused passwords. Every time a password manager generates a password that isn't compatible with a website, a person not only has a bad experience but a reason to be tempted to create their password. Compiling password rule quirks helps fewer people run into issues like these while also documenting that a service's password policy is too restrictive for people using password managers, which may incentivize the services to change.
indigo945
10 replies
7h48m

Ironically, apple.com itself is listed in this repository! Apparently they don't allow non-ASCII characters in passwords.

amarant
4 replies
6h58m

Jesus holy Apple pie!

ASCII only in 2023 seems positivity antique. And this from a supposed tech frontrunner! Wth...

chtitux
2 replies
6h48m

Limiting characters can also be a feature, so users can't use emojis in their password (this is so fun), to realize later they can't login, because they don't know how to input emojis from their desktop computer.

Hopefully passwords will be gone soon (at least that's my hope).

Sammi
1 replies
6h32m

There's only so much user hand holding you can do.

docmars
0 replies
3h49m

With how ubiquitous Apple is, introducing a small limitation to prevent user error can make a huge difference in reducing support requests.

dredmorbius
0 replies
2h42m

In what platforms is it not possible to input 7-bit ASCII characters 020 -- 073 (octal)?

In what platforms is it not possible to input various Unicode or emoji characters, whether at all or reliably?

vbezhenar
1 replies
4h33m

This is a good thing. I won't accidentally make weird password without realizing it.

bmicraft
0 replies
3h35m

It's not for people with other locales and keyboards

Sammi
1 replies
6h33m

You don't even have to make a single line change to your backend to fix this. You can fix this entirely on the frontend by just applying a digest hash on the password before sending to the backend for proper password hashing. This way you can even support "unlimited" length password.

usrnm
0 replies
6h3m

Yeah, just CRC32 the password on the frontend, should be fine

nicky0
0 replies
6h45m

I guess the plucky upstart password manager team has one problem to solve, the entrenched web services team has its own ways.

atoav
5 replies
8h2m

For my own applications I typically require only three rules to be kept, two of which most users will never even encounter, the password must:

1. be long enough (e.g. 8 characters or more)

2. not be in the list of 10k most used passwords

3. not simply reuse words present in the username, email, birthday (if my application knows about it)

This keeps it open and only interferes with truly stupid (aka insecure) password choices.

Additionally I like to propose 8 passphrases to the user so they can choose one of their liking with one click (this also serves as a proposal what a good passphrase could look like).

Sammi
3 replies
6h26m

Good, except min 8 chars is not safe at all. Don't approach any semblance of security before min 12 chars. Min 14 is when you get into real security. The increase in entropy is exponential with password length, so security increases quickly after this.

sbrother
0 replies
3h45m

All that users do when they get hit with restrictions like that is repeat their password again, or fill it out with exclamation points. Not a lot of entropy getting added.

kbolino
0 replies
4h33m

The entropy doesn't increase exponentially if my password is just N copies of the same character or phrase, it only increases linearly.

Minimal password requirements allow people who know what they're doing to do the right thing. If you want to stop people who don't know what they're doing from doing the wrong thing, it will take a lot more than just length restrictions.

atoav
0 replies
1h36m

That is why I wrote e.g., actual length can be tuned to fit the purpose of the application. If there is really sensitive data or attackers gain privileges that could wreak havoc in the wrong hands I'd probably go with 12. If an attacker would gain next to nothing I'd go with 8 for comfort reasons.

This is in addition to other mechanisms of course, like rate limiting password attempts, fail2ban, salting, peppering, chosing the right hash, proper database separation etc.

The goal should be that only an attacker that has a copy of the database could profit from too short passwords, and only if they get the salt and pepper correct, to avoid rainbow-table-attacks.

tim333
0 replies
6h31m

I miss the old days of youtube when they had no restrictions. My password was x for ages. I think the only thing I use which still allows short passwords is my apple system password which thankfully is still three characters.

JonChesterfield
5 replies
6h35m

Shout out to forms which error out with "Password too long! Must be at most ten characters. All from this subset of ascii". Which seems especially popular with banks.

tdudhhu
1 replies
6h4m

Sometimes I can understand this because banks work with old software that just has these restrictions.

But modern apps: just give us Unicode support. And maybe a limit of 255 characters, but not less.

tazu
0 replies
1h33m

Noticed the other day BCrypt has a max input size of 72 bytes.

kdomanski
1 replies
6h5m

Yeah, banks unfortunately have their opinionated checklists of “best practices”, also know as “what every other bank does”.

alwaysbeconsing
0 replies
1h29m

Very frustrating that any place where I can store code has way more security than what's more important to me: place where I store my money. Financial companies still using SMS for 2FA!

tazu
0 replies
1h32m

Ran into this with TikTok "Creator Marketplace" (for buying ads), password limit of 20 characters... $200B company.

ssl-3
3 replies
9h22m

Obligatory: https://xkcd.com/936/

(Those of us who know, already know. I'd like to say that we all know here.

But if a reader does not recognize "correct horse battery staple", then you're obliged to click the above link -- you're one of today's lucky 10,000![1])

1: https://xkcd.com/1053/

pooper
1 replies
8h52m

I have multiple Google Accounts. One of them, I want to remember the password. The others, eh. I just want to copy paste. Doubly so for practically anything else. I wish they'd just let me copy paste.

I have developed a maybe irrational fear of space in strings such as passwords and paths. It always scares me when people use spaces in either case.

tracker1
0 replies
8h40m

For passwords I have to actually remember and type in (os login, password mgr evs) I expressly use a short sentence, often with spacing and punctuation. Sometimes an intentionally misspelled word.

tracker1
0 replies
8h42m

Yeah, haveibeenpwned is a great resource. More sites really need to integrate this kind of check.

teeray
1 replies
4h12m

You want to have weird password rules? Fine. Please make some standardized meta tags my password manager can find so it generates perfect passwords every time. Bonus points for a well-known URI facilitating touchless password rotation.

gorjusborg
0 replies
4h4m

You want to have weird password rules? Fine.

I'd be fine with storing the password policy in the password manager, and having it generate based on that policy next time.

And having all sorts of weird stuff in a password isn't necessary, so neither is the policy. To top it all off, many of the sites obsessed with password quality actually limit password length. Why?! You are comparing passwords hashes and storing them as hashes, right? So the length shouldn't matter.

Allow passwords of effectively unbounded length, set a reasonable minimum length, and don't obsess about password 'complexity'.

And for the love of all that is good, don't eff with paste.

user3939382
0 replies
5h45m

High quality complexity and password policy guidelines are provided by NIST and no one uses them. It’s called NIST 800-63b. Just use it!

dwighttk
0 replies
6h12m

Also the rules sometimes show up saying you’ve violated them when you haven’t…

yes it’s longer than 8 characters

Yes I have one of your stupid special characters

Yes I’ve fulfilled all your other written rules

Oh… it also has to be LESS than 21 characters? Why did you not say that?

bsuvc
0 replies
4h40m

Requiring special characters is just another type of security theatre.

bondarchuk
0 replies
4h7m

All I ask is that the same restrictions are also displayed again whenever I have to enter my password for login.

bittercynic
3 replies
2h49m

I generally agree that you should let the user use the facilities they're used to, but if you have a habit of copying and pasting credentials you'll be more vulnerable to phishing.

Firefox and Chrome's built-in password management tools would never accidentally enter your credentials on a lookalike site, but you very well might.

sbuttgereit
0 replies
2h33m

That's all great, but then there are the times when they don't offer to copy the credentials where they should. Maybe the "correct" URL was too narrowly defined to be useful, or was taken from the setup context and is otherwise wrong for regular usage.... maybe the site changed their authentication process... etc. In the end, all of this tends to defeat the very resistance to the manual entry impulse you describe. If these password manager entry systems worked more flawlessly, your point would carry more weight... but having to defeat the protection your assertion relies upon is commonplace enough in legitimate purposes that it may well be nullified at all times.

In the end, as long as a site is going to use username/password authentication there will always be the need to educate users about what to expect sans the aid of tools.

mox1
0 replies
2h46m

And both of those built-in password management tools are actively targeted by credential harvesting malware.

indymike
0 replies
2h40m

I generally agree that you should let the user use the facilities they're used to, but if you have a habit of copying and pasting credentials you'll be more vulnerable to phishing

This is like advising that glass sidelights be installed next to the vault door.

wccrawford
0 replies
5h29m

In addition, they will probably also still try to copy to clipboard first, since they probably don't use that interface often enough to remember its special rule.

pupppet
49 replies
17h24m

Right up there with hijacking Ctrl-F.

dylan604
11 replies
17h1m

There's a lot of keyboard shortcuts that mean one thing in the browser but something totally different in another application. Now that it is common for many of these other applications to now be a web app, these keyboard short cuts are possible to start colliding.

Take GoogDocs as an example. Do you want the browser's find or the app's find if you hit ctrl-f in a Doc/Sheet/etc? The vast majority of the users want the app's. Reading a news site, most people would probably expect ctrl-f for the browser's search.

Just pointing out that hard rules will always have exceptions. Except for the TFA's point of copy/paste. Stop manipulating my clipboard with bullshit marketing/tracking bullshit!!!!!!!

8338550bff96
10 replies
16h46m

Then the vast majority of users are wrong. The correct answer is for it be the browser's find.

Maybe apps could bind their find/search to ctrl-s since it is incorrect for browsers to bind this to save-page anyway.

dylan604
6 replies
16h41m

why is all of the sudden ctrl-s wrong by the browser?? you make no sense here. you've never needed to save a web page? i guess i'm showing my age, while i don't use it daily, it has been a valuable feature for many reasons before.

Edit: >Then the vast majority of users are wrong.

I strongly disagree, and people unwilling to be flexible ruins the experience as those people tend to be the minority

pinkmuffinere
5 replies
16h35m

You’re absolutely correct though, the parent comment seems to think there are absolute right and wrong answers for UI. I think that’s just not true, a good UI is one that works for your customers.

dotancohen
2 replies
12h15m

Of course there are absolute right and wrong answers for UI. Accessibility, minimum text contrast and font size, minimum size for clickable items. Keyboard shortcuts may not be (or may be) one of them, but in fact consistency across applications _is_ considered a hallmark of good UI and every Human Interface Guideline I've ever read, including open source ones such as that from KDE, specify such.

vidarh
0 replies
11h34m

You're being obtuse. Even most of those you list will not reasonably have a fixed, absolute value that is right for all users, all applications, and all situations, and assuming they do is the cause of a lot of awful UI limitations.

(Your user will never need characters to render as single pixels? Try again - sooner or later someone will decide to abuse your spreadsheet as a raytracer and be annoyed they can't make cells single pixel)

And a feeling of consistentency often requires exceptions for specific cases such as the example of "find" where few users want to specifically find what happens to be in the browsers idea of what the document currently contains, but what it logically contains in their model of what it should contain. Consistency means that in an app that dynamically updates a scrollable region, for example, it should still find things in the currently not part of the browser document bits, and so shouldn't use the browsers find in those cases.

Some users might want a shortcut that always does the browsers own find, and there generally ought to be ways to override the app, but consistently acting how the user will want is rarely compatible with absolute rules.

pinkmuffinere
0 replies
11h43m

I agree with almost all of the specific examples you give, but I think I agree _because_ those UI decisions work better for customers, and not because they are absolute right and wrong. I think I can illustrate this with some examples:

1. Consider a keyboard without an f-key, eg Arabic. If the user is using an Arabic keyboard, what should bring up the browsers 'find' functionality. Of course ctrl-f won't cut it. Perhaps it should be ctrl-[first letter of 'find' in Arabic]? Or perhaps ctrl-[the letter in the same position as f on qwerty keyboard]? It makes sense to follow convention if one is already established for Arabic, but then what about languages that are new to the web?

2. Consider a phone-tree, which is a sort of UI. For this UI, the 'absolute right answers' of minimum text contrast, font size, keyboard shortcuts, etc, make no sense, but there are surely other ways to make the UI work well for customers.

In both these scenarios, I feel the 'right' choice is to pick the UI that is best for users. I think there isn't a-priori a right answer, and users habits change over time and across cultures, so it's not necessarily an easy choice.

masto
0 replies
16h26m

They're trolling.

8338550bff96
0 replies
4h53m

Hey, man. I'm just dispensing justice. I don't make the rules

lesuorac
2 replies
16h36m

The browser's control-f won't find you text draw onto a canvas element so those users really aren't wrong ...

Andrex
1 replies
14h25m

It's also trivial to use Ctrl+F on such pages if you so choose by clicking into the URL bar and then doing the keyboard combo. (Or just make two clicks in the browser menu.)

I can see valid use cases for customizing Ctrl+F.

paradox460
0 replies
13h1m

Discourse apps bind the first hit of Ctrl/cmd-f to the app's search feature, and then the second passes through and hits the browsers. Seems to be the right way to do it

notamy
7 replies
17h7m

Ctrl-G and F3 often work to bypass that ime

dugite-code
6 replies
17h1m

I honestly didn't know about Ctrl-G. You my have significantly changed my life!

dylan604
5 replies
16h59m

isn't ctrl-g common for "find next" with shift-ctrl-g "find previous"? maybe i live too much in my IDE/text editors?

kayodelycaon
1 replies
16h51m

On macOS cmd+g is a standard shortcut most apps implement.

dylan604
0 replies
16h38m

yeah, i substituted to ctrl from my normal cmd to not confuse people

dugite-code
1 replies
16h48m

Almost certainly, but It's one of of these "I can't believe I never knew this, it's so obvious!" things.

dylan604
0 replies
16h43m

In that case, I'd highly recommend browsing through the drop down menus for any of your apps. It is very common* for the keyboard shortcut to be listed, and very frustrating when it is not. This is my primary source for finding these shortcuts for a new app.

* maybe it's a Mac thing???

Andrex
0 replies
14h25m

In my head Ctrl+G is a shortcut for "Ctrl+F with the last result I searched for."

grishka
5 replies
10h50m

I just don't get it why browsers allow websites to override their own hotkeys. I'm sure it even required extra code to be written to work correctly.

Linear hijacks Cmd+F for example, very helpfully providing some terrible thing instead of my browser's built-in search that works the same everywhere. (it's the same Linear that thinks you can't not want wysiwyg markdown editing)

nsinreal
4 replies
10h39m

Well, for Ctrl+F there is sometimes a reason. Many websites uses technique called virtualization of lists. That boosts performance, but standard Ctrl+F doesn't works anymore properly

BasieP2
2 replies
10h16m

I know of 2 websites that do this. 1. Confluence It's super annoying and takes up a lot of screen space 2. Nexus It simply kills it. You can use ctrl-f but it simply will not find text right in front of you..

Really i see no valid case

rasz
0 replies
9h57m

github code editor is a big one

PennRobotics
0 replies
9h27m

DOS emulator and Vim emulator, and that's almost all I can imagine. Maybe games that would use the control key as an additional input---but in the browser???

aitchnyu
0 replies
7h50m

The good sites allow you to hit ctrl f twice to get browser's find feature.

AA-BA-94-2A-56
5 replies
16h28m

Stripe’s API documentation does this and it gives me the shits, because it seizes up my M2 MacBook Pro for several seconds.

I can’t believe that it’s 2024, and I can’t simply grep some documentation.

dotancohen
4 replies
12h12m

The Vimperator/Tridactyl (Firefox VI shortcuts extension) search / is not hijacked on the Stripe API documention.

bovine3dom
3 replies
9h10m

FWIW, the / search isn't part of Tridactyl but we do inject some code that frees up / from most websites so Firefox can use it.

It's possible to write your own user script to do it (you just need to add a keypress event handler that does preventDefault() and maybe stopPropagation()) with no need for Tridactyl :)

SushiHippie
1 replies
7h56m

But it still doesn't seem to work on GitHub, did you whitelist GitHub for the preventDefault or is GitHub just a bit extra when it comes to hijacking keybinds?

bovine3dom
0 replies
7h40m

It works sometimes on GitHub, it's just a bit extra as you said.

GitHub is what annoyed me enough to make the feature in the first place. It used to work reliably but they made it worse :(

dotancohen
0 replies
7h3m

Good to know, thank you. Maybe non-Trydactyl users should check if / is hijacked along with Ctrl-F, Ctrl-G, and F3.

And I'll take the opportunity to say thank you for Tridactyl! Have a great weekend!

makeitdouble
2 replies
16h36m

There are semi-legitimate cases where this is warranted. For instance when looking at a Notion database, standard Ctrl-F is almost useless, and document search needs to go through the notion API to return results, sometimes even related to the entries that are displayed on screen.

I say "semi-legitimate" because I actually wish they'd map to a different shortcut, but can see the case for user wanted the remapping.

This of course stems from earlier decisions to have that document handling style in the first place. IMHO it becomes a complex debate when on line between an online application and a webpage.

AA-BA-94-2A-56
1 replies
16h27m

Shouldn’t CMD+F be reserved to searching the current document/context?

Something like CMD+K should be used for a more global search.

easton
0 replies
16h17m

You cant use those keys (Super+) in the browser AFAIK. The operating system expects to use them for keyboard shortcuts.

(Guessing on macOS Cmd+V is actually triggering a clipboard event in JS, the site can’t actually see that you pressed Cmd+V)

tom_
1 replies
17h22m

And overriding Ctrl+K without even being so good as to give way when you type it a second time. Assholes.

oneeyedpigeon
0 replies
9h27m

We're talking about you, Slack. (At least I can now remember which app is the one that breaks Cmd-K, but it's still annoying that I have to think that little bit longer to recall that info. every single time I press Cmd-K anywhere)

strbean
1 replies
17h10m

Recently learned that if you Ctrl-F again after the highjacking, it brings up the browser search box.

Discovered this thanks to a site (don't remember which) that included a tooltip about this fact in their hijacked search box. I was curious if it would work on Redocly search, which has no such tooltip, and it did. I'm not positive if this works universally, or is just an undocumented feature of Redocly's interface and won't work in places the developers didn't make specific accommodations for it.

Env: Chrome + OSX or Windows.

pzmarzly
0 replies
5h0m

It's a feature built-in to most browsers, same with right-click (if page hijacks right click, right-click twice in rapid succession).

oneeyedpigeon
1 replies
9h29m

'Find in page' is now so broken on modern websites that the keyboard shortcut is the last of our problems.

PennRobotics
0 replies
9h17m

Bitwarden.

"Find in page" will only show a result if it is visible on the page (even though the scrollbar indicates the full vault has loaded, and even after scrolling down to the desired result and then back up).

They have a "Search vault" field that works fine, so it's not a major inconvenience, but the first few times I've Ctrl+F'd a newly added site and gotten "Phrase not found" when I know I added credentials? That's a mild anxiety I'd rather not have.

I could be convinced there's a security-related reason for this---in fact, I never really thought about it until now---but then I'd assume anyone able to get access to your vault can use Selenium and fill in the "Search vault" input field.

dugite-code
1 replies
17h18m

Hell just hijacking any standard browser controls is infuriating when it catches you out when you're just not paying complete attention.

Edit: Apparently Firefox has the `permissions.default.shortcuts` config option

UNKNOWN: Services.perms.UNKNOWN_ACTION [0]

ALLOW: Services.perms.ALLOW_ACTION [1]

BLOCK: Services.perms.DENY_ACTION [2]

PROMPT: Services.perms.PROMPT_ACTION [3]

And in the site information panel you can disable the Override keyboard shortcuts permission on a per-site basis. Neat, doesn't solve the paste override issue though. Source: https://support.mozilla.org/en-US/questions/1241294#answer-1...

crtasm
0 replies
15h38m

A huge thanks for making me aware of this. permissions.default.shortcuts firmly set to 2.

stn_za
0 replies
5h1m

So much this.

lukeholder
0 replies
17h21m

Stripe docs do that and it annoys me to no end. They let you use the native search if you press ctrl+f a second time but since there is a delay it causes chaos.

int_19h
0 replies
16h23m

This is the biggest reason why I hate Discourse.

Lio
0 replies
6h12m

My personal hate is when webpages rebind scrolling to zoom.

I haven't used a mouse in almost 15 years. It's a constant source of annoyance when I try to scroll something with a map with my trackpad and it goes crazy zooming in and out.

LM358
0 replies
8h23m

I don't think anyone here can imagine my bewilderment, confusion, and ultimately anger, the day I discovered that in the web interface for Outlook, Ctrl+V is the default shortcut for... send email.

I would very much like to know what went through their heads when they decided on that. On further thought, maybe I don't.

jessriedel
48 replies
17h21m

In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs. In order for the extension to know about that event, it needs the tabs permission, which Chrome describes as "can read and change all your data on websites you visit." That description is very scary, and is certainly not what this extension is doing. Being an open-sourced project, you can always read all the code to see how this extension works, and what it's [not] doing with your data.

The problem is that even if I read the code, or more likely chose to trust that someone has, it's not guaranteed to remain true for future updates. The author's scruples may weaken with time, or they might sell the extension, etc. (I think Chrome's extensions auto-update, but even if they didn't I'd still have to remember that this extension is one that I can't assume it's safe to update.)

Nifty3929
22 replies
12h40m

This is a bit cynical isn't it, when the author is clearly being as transparent as possible about what they need and why, which is due to factors outside their control.

Of course you're right in a technical sense. They could do whatever they want later.

But still let's celebrate and attitude like this rather than criticizing it.

shakna
5 replies
11h49m

It's not cynical - see what happened to ublock. That kind of mess has happened, and will continue to happen, and should be a factor in what you choose to trust.

efilife
2 replies
11h36m

What happened to ublock? Are you talking about uBlock origin?

eslaught
0 replies
11h16m

The Wiki article has a brief summary of the history, but basically the original author wanted to transfer responsibility for the user-facing maintenance to someone else, who started seeking donations and (I believe) taking payment for "acceptable ads" and the like.

https://en.wikipedia.org/wiki/UBlock_Origin#uBlock

Denote6737
0 replies
9h38m

It was uBlock that was bought by AdBlock. uBlock origin is a different project and wasn't part of the sale. it is not accepting payment for ads.

josefx
0 replies
11h13m

Wasn't the worst that happened with it that the guy who took over uBlock tried to take credit for it and asked for donations? Not like he could get away with anything outright illegal when everyone knew he was running the project.

gorhill
0 replies
6h20m

The extension in the Chrome Web Store (CWS) never changed hands. I just reverse-forked a GitHub repo, which was of no consequences to those who installed the extension from the CWS. I was asked to transfer the CWS entry, I refused. This can't be compared to an extension changing hands or going rogue in the CWS.

foofie
3 replies
11h55m

This is a bit cynical isn't it (...)

No, it's called security.

Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.

What leads you to believe that good intentions are enough?

bakugo
2 replies
4h28m

Let's put it this way: there have been FLOSS projects whose maintainers intentionally pushed compromised code to unsuspecting end users. See for example the colors attack.

Following this logic, we should all stop using any and all software for which we haven't personally inspected the full source code for, since this could happen to any of them.

ziddoap
1 replies
3h40m

That's the extreme end, sure.

A more reasonable take would be to assess your risk tolerance and the possible benefit for each piece of software you install, and then make the best decision for yourself based on that assessment.

For some people, that means not running an extension that provides minor quality of life improvements due to the possibility of it turning malicious further down the road. For other people, it means the opposite.

Not sure why every security-related conversation devolves into one extreme vs. another extreme. Security must be appropriately balanced against risk tolerance, inconvenience, and a number of individual concerns and preferences.

bakugo
0 replies
8m

If you personally think extensions are too much of a security risk for you, sure, don't use them. But please don't comment "ackshually extensions are insecure and using them is a bad idea" on every post about a browser extension. We already know the risks, it's explained when you install them, we don't need to hear the same lecture every day.

bee_rider
2 replies
10h42m

It would be more transparent to be candid about the limitation of what they can provide.

It isn’t the developer’s fault that the ecosystem is dumb, but they could just note the limitation.

tsimionescu
1 replies
10h36m

So you're saying they shouldn't add the feature rather than asking for the permission?

bee_rider
0 replies
5h33m

No, they should just note the issue in a parenthetical aside.

Beldin
2 replies
11h44m

This has been used as an attack vector in the past: spot reasonably popular plugin; make author an offer; inject whatever tracking/other malwate stuff new owners want (typically after a delay).

So now we'd have to trust the author to do thorough vetting of a potential buyer and also not sell if vetting is inconclusive. And this against an adversary aiming to cheat their way past vetting.

Might be a cynical take, but it is not one without reason.

As a sibling comment points out, this is due to the permission model. This doesn't let the author entirely of the hook though: the permissions model created the situation, the author chose a particular path. The consequences may not have been foreseen by either, but they do exist and affect users.

tracker1
0 replies
8h37m

In this case, you can build and self host on Dev mode... It's a pain but doable.

bryanrasmussen
0 replies
11h7m

the permissions model created the situation, the author chose a particular path.

perhaps the most reasonable or even only possible path if they wanted their plugin to be able to do what they wanted it to do, which was to keep sites and from messing with your copy and paste functionality - in other words to prevent minor maliciousness.

on edit: sure, to provide the smoothest behavior, but really if it wasn't smooth people would be irritated and not want to use it. I know if I was implementing for myself I would want it to be smooth.

I understand the whole "bad things can be done" perspective, but here for some reason I fall under a "trust but verify" perspective instead.

lowbloodsugar
1 replies
11h58m

But WHY do they need that permission? They dont need it to implement the paste behavior. Looks super sus to me.

ambigious7777
0 replies
10h59m

The extension needs to re-enable paste, which means it needs to possibly inject some JS into the page.

dotancohen
1 replies
12h24m

Sounds to me like GP is complaining about Chrome's permission model, not this particular extension.

Nifty3929
0 replies
12h16m

That isn't my interpretation having just reread it, but if that poster comes back to clarify otherwise I'll edit my post accordingly.

jessriedel
0 replies
1h24m

Nope. People are being asked to give a bunch of deep access to their system, it's not enough for the author to have pure intensions and explain why they asked. The user should understand the risks, many of which are non-obvious (like the extension being sold).

beacon294
0 replies
11h51m

No, it's well documented. Popular Chrome plugins, mainly free ones, historically have been sold.

pimlottc
6 replies
17h8m

It is also not at all clear to me why it "needs to know when you change active tabs".

jessriedel
1 replies
13h32m

Huh. That seems not super important to me. Presumably he could make a option/version where the icon didn't change?

kortilla
0 replies
12h10m

Yeah, seems like a lame excuse to permissions grab crazy privilege.

Leszek
0 replies
11h30m

You should have read a few more lines of that source - it also sends an "active" message to the tab, which is what adds and removes the copy/cut/paste event handlers.

ipaddr
1 replies
16h42m

You need to detect and stop sound. You swap out active memory.

pimlottc
0 replies
15h26m

What does any of that have to do with making sure input fields are pasteable?

nextlevelwizard
5 replies
11h49m

The thing is there is no alternative way to do this. I have written some extensions my self and often you cant do anything without having full read and write access to every page.

For example I have an extension that lets you right click an image and rotate it by -90/+90/180 degrees. All I want is for the browser to hit me up when there is a `<img>` tag, but that is not an option. Either I have to white list every page separately in the code or ask the user to white list every single page or just ask for full read and write permissions for every single web page the user visits.

stefan_
1 replies
8h16m

I have an extension to replace the "backspace for back" keybind they intentionally broke after 30 or how many years and of course it needs access to everything everywhere, because apparently they can't envision extension functionality that isn't "inject JavaScript".

vsnf
0 replies
8h6m

On Firefox this is an option in about:config, no need for an extension. I’m on mobile rn so I don’t have an reference to the specific key, but it’s something like “enhanced backspace”

wanderingstan
0 replies
4h18m

As someone working on an extension right now, I can definitely say that you only need the “ActiveTab” permission. With this, the extension only becomes active (and can interact with the page) when the user right-clicks an image and selects the action from the extension.

No need for full read and write permission.

hahn-kev
0 replies
8h25m

For the lay person being able to access any image on any page is pretty much the same thing as being able to access all pages.

enriquto
0 replies
7h50m

The thing is there is no alternative way to do this.

Maybe. But this is not clear at all from the given explanation:

In order to provide the smoothest experience as possible, the extension needs to know when you change active tabs.

The "smoothest experience"... This is corporate wooden language, and sounds disrespectful towards the users. Why does the extension need, precisely, to deal with tabs at all? A smooth experience would allow the users the choice to disable this permission while still working correctly on a single tab (as the previous version did). If this is not clearly explained upfront, it sounds like bullshit, even if it isn't.

Maybe there is no alternative way to do this. But certainly there is an better way to explain this.

varenc
4 replies
17h4m

I get around that by downloading the extension source and then using Chrome extension developer mode to “load unpacked extension”. Then I’m confident the extension won’t change on me.

(But for this extension I don’t give it all site permissions anyway. I just enable on site by site basis)

quickslowdown
3 replies
16h32m

That's terrible for security, but great for convenience :)

varenc
2 replies
13h35m

Can you explain what you mean by this more?

lukan
1 replies
12h20m

Probably because "no automatic updates means bad"? Which might be true in general, but maybe not here. Depends how complex the source is.

quickslowdown
0 replies
2h57m

This is exactly the point I was making. I personally don't care that this is how some people manage their chrome extensions. It's clever, and will help if the source suddenly changes. If there is a vulnerability in the version you've downloaded & keep installing, it'll never be fixed because no automatic updates. Plenty of examples of extension vulnerabilities in Chrome, but the stability of your plugins not auto updating is definitely appealing to avoid unexpected changes/behavior

pants2
1 replies
17h0m

Does Chrome have a "Developer Tools" feature for extensions, so you can dive in to the code and network requests?

zettabomb
0 replies
17h13m

This one is the version linked by the Firefox addon [0]. Honestly can't tell if one or the other is better but I like having it automatically enabled. Considering it hasn't been updated for years (but still works) I'm not particularly worried.

[0] https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi...

mrd3v0
0 replies
8h58m

You mean the permissions system is broken and most extensions do suffer from the same issue?

Nah mate, we at Google, (bless them Mozilla crooks giving us control over their extensions), don't care about actual issues, we only update extensions to make money and limit user freedom.

jdthedisciple
0 replies
10h39m

then u can simply clone the repo and locally load the extension ... bye bye auto-updates

Hackbraten
0 replies
10h27m

That's exactly why I use my system package manager to install and update browser extensions.

And whenever the package repository is missing a browser extension I need, I contribute the package and take responsibility for its ongoing vetting and maintenance.

swayvil
15 replies
17h26m

Ya, fucking with paste is a pet peeve of mine.

What's a good argument for fucking with paste?

freedomben
7 replies
17h23m

The only one I've ever heard is "security." Sometimes people try to "yeah it's because for security we don't want some tool to paste credentials or clickjacking mumble something malware hacking clipboard spyware javascript browser" but most of the time the truth is "our sec people need to show controls for hardening the authentication process so they came up with that and we just did it because it wasn't worth the fight"

I've also heard "being able to copy/paste defeats the purpose of having a 'confirm email' field." I reject that but it's at least somewhat logical.

zettabomb
2 replies
17h16m

I consider it a reduction in security because it makes entering proper random passwords more difficult - either I have to paste it somewhere else first (and leave it in plaintext on my screen) OR I have to use a more memorable/shorter password. When I can paste passwords, they can be as long as possible and never are actually visible in any way.

freedomben
1 replies
17h10m

Completely agree. There was a particular US government-run website that I had to use that disabled pasting, and required obscenely long passwords (like 15 character minimum, at least two letters/numbers/symbols/capitals/etc), and forced rotation every 60 days, and aggressively blocked "keyboard patterns" and once a password had been used, it couldn't be used again forever. Given I only had to log in about once every 90 days, I literally had to change my password every time. I've never been more enraged at a product in my life. My passwords for that site may have looked good out of context, but in reality I just figured out "keyboard patterns" that it wouldn't detect and used those, and kept the password in plaintext where I could read and type it. It was the biggest security anti-pattern that I could possibly think of.

Analemma_
0 replies
16h48m

They finally fixed it after years of griping (I assume because the skyrocketing interest rates meant a large number of people suddenly began using it), but for a long time the official website for buying US government bonds wouldn't let you use your keyboard at all to enter your password, you had to click on an on-screen keyboard Java applet. For "security". Fortunately most password manager tools could break through it and paste into the password field anyway, but what a fuckup that was.

(And the site still sucks- you can't use the back button at all, for example-- but it sucks infinitesimally less now)

ryandrake
1 replies
17h20m

Too much gets justified with vague, handwavey "because security" excuses. We can't do this because... uh... because security, yea, that's it! It should be "Specific vulnerability or GTFO."

styxfrix
0 replies
16h16m

Yeah. NordVPN is an example of this handwaviness. They refuse to delete my account to which I can successfully log into and which I've never used because they claim that as "a security-oriented company we do not take account change or deletion requests lightly, hence we request payment information to confirm ownership of the account, as we would not want anyone but the rightful owner making such changes." Problem being, I've never paid NordVPN, and when I told them as much and asked what security problem could result from them deleting an unused account, they didn't respond.

bogota
0 replies
17h16m

A classic “save the children” argument of security. I know you aren’t making it but i have heard people argue this too many times over the years.

MBCook
0 replies
16h50m

That’s exactly what I’ve heard. In a discussion about this recently at my job they wanted to add this to some login related forms.

I pointed out this was obnoxious and I’ve heard in the past copy & paste can be important for accessibility though I can’t be sure first hand.

Security BS was the reason I was given.

The irony is our IT department tells us to use a specific password manager and copy & paste usernames and complex passwords because the app doesn’t have browser integration. I assume “for security”.

chrisfosterelli
3 replies
17h23m

When you have a confirmation field, like signups that require you to type your email and then verify your email, blocking paste stops the user from typing a typo and then copy-pasting the typo into the confirmation field.

Another use case is when you want the user to type in the name of the project or resource before they delete it, sites sometimes block copy and pasting the name to avoid having users get into that habit and make a mistake.

Personally I dislike the UX, I think it's too user hostile to 99% of users at the benefit of 1% that are making a mistake that's obviously their own fault, but it does cut down on support time I assume.

robenkleene
1 replies
17h17m

When you have a confirmation field, like signups that require you to type your email and then verify your email, blocking paste stops the user from typing a typo and then copy-pasting the typo into the confirmation field.

This argument is indefensible. Browsers have had autocomplete for over a decade, Contact book applications that store email addresses have existed over a decade, password managers that also handle email addresses over a decade.

chrisfosterelli
0 replies
17h10m

To be clear, I'm not saying I agree with it. But this isn't a feature for users that have password managers. It's a feature for the staff that handle dozens of calls per week from users complaining they never got the signup email when they had given the wrong email. There's better solutions to that problem though, and like I said I'd be the first to advocate for one. But I can see how it's an easy tool to reach for.

ssnri
0 replies
17h13m

That just takes the argument from bad to worse. “How will I condescend to my users without breaking their browser functionality?”

Zero times have I been saved by this feature

RheingoldRiver
1 replies
17h4m

On the github "delete repository" screen or other extremely destructive actions, it stops you from muscle-memorying the confirmation and then accidentally deleting the wrong thing. Since you are actually forced, like really forced, to type out what you expect to happen, you won't delete my-important-work-repo when you meant to delete my-temp-test-repo.

eviks
0 replies
15h12m

You're forced to copy the name manually, which is just mindless typing, so doesn't force thinking, for that you'd need to provide some meaningful info about the repo to make it click that it's not a temp, or better yet make this actions undoable for some time

wrs
0 replies
17h21m

Mostly it seems to be a countermeasure against mistyping your email/password and then copy/pasting that bad value into the “confirm email/password” box.

Nowadays it’s a (hopefully accidental) countermeasure against password managers!

freediver
15 replies
17h4m

This was one of those things that frustrated me so much that we ended building this natively into Orion browser (Tools menu -> Allow Copy & Paste). [1]

One of the joys of building your own browser.

[1] https://kagi.com/orion

ghostpepper
5 replies
16h47m

How would you rate the security posture of Orion compared to Chrome?

freediver
2 replies
16h24m

Along what axis?

ghostpepper
1 replies
16h7m

Size of security team? Mean time to patch actively exploited CVEs? Availability of source? Etc

freediver
0 replies
15h35m

Same as Safari in that regard, albeit with a much smaller team (we inherit upstream patches from the WebKit team and publish them regularly, sometimes even before Safari like in the case of patching iLeakage vulnerability).

torstenvl
1 replies
16h13m

Well, there are apparently whole classes of JavaScript malware that Orion blocks but Google doesn't...

ghostpepper
0 replies
13h38m

This is exactly what I was asking, not sure why my post was downvoted

quadhome
2 replies
15h46m

Why allow pages to disable copy & paste at all?

musicale
0 replies
14h56m

It's kind of a misfeature, but the non-evil idea was probably to provide hooks for customizing copy and paste (or other standard command functionality) in beneficial ways, for example seamlessly copying and pasting custom data formats between web apps, or between web and desktop apps.

It is a law of the web that any potentially beneficial browser feature will immediately be (mis)used in an abusive, user-hostile manner.

Spivak
0 replies
14h55m

It's not about disabling it, it's about intercepting it by telling the browser that you're directly handling paste events and then doing nothing. The extensions just forces the browser default handler.

igetspam
1 replies
16h43m

Brave has a "force paste" that I use now instead of Chrome and the linked plugin. I assume the motivation was the same. (What a*hole thinks blocking paste is reasonable??)

Good on you for solving this too. It's a nonsense bit of functionality.

serial_dev
0 replies
16h26m

It's always incapable product owners and business people who don't understand security but think they do.

idonotknowwhy
1 replies
15h58m

Cheers for making Orion. I don't know how you guys managed to support Firefox and Chrome extensions (on iOS) but it's amazing and made moving from Android so much easier!

freediver
0 replies
15h34m

Just the sheer determination to build the best browser in the world :)

panja
0 replies
12h38m

Sadly, I am not in that ecosystem :(

cute_boi
0 replies
16h7m

The problem with orion browser is it is not opensource.

autoexec
15 replies
17h4m

You shouldn't need to trust an addon for this, it's something you should be able to set in the browser.

In firefox you can toggle dom.event.clipboardevents.enabled

gruez
7 replies
16h19m

IME this breaks paste functionality in some web apps (eg. certain terminal emulators or text editors)

Cyberdog
4 replies
15h28m

Who’s using terminal emulators and text editors in their browser?

Actually, don’t answer that. I’m afraid of the answer.

alpaca128
1 replies
9h47m

Never heard of Jupyter Notebook? And services like AWS also have editors and terminals, just like countless other sites.

fragmede
0 replies
9h13m

If you're a cli jockey and you haven't tried using bash together with Jupyter, you've gotta give it a shot.

lukan
0 replies
12h12m

Wikipedia does. Every site with a CMS. Google docs.

Here to write in the comments you use a simple text editor.

Chrome dev tools can also be used to change the code directly. Quite convenient to have the same dev tool behave and look the same on all the different plattforms.

Also, everything ChromeOS related.

Was that so scary?

gruez
0 replies
15h16m

text editors

google docs, WYSIWYG editors built into any number of webapps

terminal emulators

ssh/serial consoles on whatever your hosting provider is. Sure, sometimes there's a command line tool to do the same on your OS's terminal emulator, but if it's for a task that you're doing once every few months (eg. recovering a bricked server), clicking a button on a website and getting a shell is just more convenient.

arp242
1 replies
16h13m

The worst is when it breaks web apps in really confusing, weird, and broken ways.

Slack, for example. Pasting becomes a complete clusterfuck. Things paste in the wrong location, incompletely, etc. I have no idea how they manage to fuck up "paste in a text box"...

Facebook Messenger also broke last time I used it where the tab would start using 100% CPU, but it's been a few years since I last used it, so don't know if that's still the case.

Anyway, I really wish I could do this per website. I have it disabled because GitHub started doing weird and annoying shit when I copy/paste stuff from comments and I absolutely hate it. But ... then it breaks Slack :-/

alpaca128
0 replies
9h49m

I have no idea how they manage to fuck up "paste in a text box"...

For over 5 years Enter has been broken in YouTube's comment text fields. It inserts a new line but often won't move the cursor. Last year for a while they changed the text to black in the dark theme and it was impossible to write comments because the text fields simply never showed up.

rand0mx1
2 replies
16h15m

Or you can hold shift button while right clicking to force open menu.

aitchnyu
1 replies
7h51m

My bank bans right click in addition to ctrl v.

Aissen
0 replies
3h52m

In Firefox, with the method proposed by the gp, they shouldn't be able to block it.

amethyst
2 replies
16h49m

I wish I could selectively disable only the "paste" events, because it's extremely useful to have "click to copy this value" type of buttons in our various work tools, and I miss the ability to do that every time I try turning off clipboard events to deal with bad actors.

themoonisachees
1 replies
9h56m

The solution to this is to treat your clipboard as public in the long term. Don't keep sensitive data in it for longer than you need it. KeePass does this and it's great.

arboles
0 replies
8h42m

Even when your password is erased from the clipboard after 10 seconds, that's enough for any of the tabs open in your browser to steal it.

coremoff
0 replies
8h57m

This used to break google docs copy/paste - haven't tried for a while though, maybe that's fixed

dkjaudyeqooe
14 replies
16h51m

To work around this I usually drag and drop text pasted into the URL field or somewhere, on my Mac at least.

Can I just say though that disabling paste, apparently in the name of security, is the dumbest shit I have ever encountered, right in front of ultra short timeouts everywhere.

If only I could meet the people who make these decisions in person...

S201
8 replies
16h10m

right in front of ultra short timeouts everywhere

If only I could meet the people who make these decisions in person...

For what it's worth, I was once forced to implement a half hour auto-logout on a website that could hardly be considered as containing sensitive data because an external pentest firm flagged the lack of a short timeout as an issue. The only way we could show clients a passing pentest was to comply with all of the findings. We all knew it was stupid but management gave us no choice but to implement it.

Nifty3929
3 replies
12h36m

"management gave us no choice" - Would you have done differently?

"The only way we could show clients a passing pentest..."

cnity
2 replies
8h32m

Push back on the pentest firm and explain reasoning, rather than bubbling pointless requirements to the engineers.

Kalium
1 replies
4h29m

That might work if your company hired the pen testers, it's a lot less likely to work if they were hired by a client. In the latter case, the overhead of all the required explanation and smoothing of ruffled feathers for the client likely costs a lot more than implementing the stupid timeout in the first place.

Pen testers are often very resistant to pushback. They get it a lot, and usually on things that are real concerns.

cnity
0 replies
3h1m

Good points.

BLKNSLVR
3 replies
12h16m

You must have had your shit pretty tight for the pen-tester to have to scrape that from the bottom of the barrel.

vidarh
2 replies
11h56m

Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

IgorPartola
1 replies
4h47m

I mean at that point isn’t the pushback “hey Management, this pentester is clearly incompetent. We need a new one.”?

vidarh
0 replies
2h42m

Yes, but with the problem that the pentester had been hired by our client and our client was a multibillion budget quasi-governmental organisation (transit authority) that was not inclined to listen because that'd involve mid-level managers sticking their necks out when they didn't need to and didn't know who was right.

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.

twobitshifter
2 replies
5h43m

Here was a dumb one from me the other day.

- I had to use login.gov

- My password manager had a saved login for it, I didn’t remember it, but it worked

- Then the site asked me for an authenticator app code. I checked my authenticator apps and there was nothing there for login.gov.

- There’s a login another way button so I click that and the other way is use the authenticator app!

- I click what if I can’t get my code?

- It says I must DELETE my account.

- I click to delete my account and it sends me an email.

- The email says to wait 24 hours for another account deletion email.

- 24 hours later I get an email that allows me to delete my account.

What was in the account? I have no idea, but it seems that it must be sensitive for some uses of the login. But if it’s sensitive and important why am I able to delete the account, the most destructive thing? Why is an email enough for me to delete it but not enough for me to get an auth code?

wccrawford
0 replies
5h24m

I would guess that the 24 hour delay is to allow the real owner of the account a change to cancel the delete if someone tries to mess with their account.

That said, you're right. This is really weird.

m3047
0 replies
1h7m

It's been too long and I don't clearly remember, but I think I had to use login.gov to establish an account for mumble. There was an option to print out a onetime pad (for 2FA); I chose it just for kicks. Haven't used it but I have it on file "against the day" I lose my normal second factor.

BLKNSLVR
1 replies
12h17m

Even MS Remote Desktop doesn't allow it.

Why do they think password managers exist?

themoonisachees
0 replies
9h58m

Mstsc doesn't allow it because the login screen for windows doesn't have copy-paste. It's not that it has been disabled, it's that it was never programmed to have something in the clipboard before logging in. Still, they probably could load the thing first easily, but it's Microsoft we're talking about.

theflyingelvis
8 replies
17h26m

Seems like a cool idea but perhaps a slightly less offensive name would be good.

theflyingelvis
5 replies
17h20m

I mean it doesn’t really offend me but it would be difficult to say recommend it to my mom. I guess it’s just me.

freedomben
2 replies
17h5m

Agreed. It doesn't offend me personally, but it's considered NSFW language in most workplaces. I would never name a project like that

arp242
1 replies
16h4m

NSFW language in most workplaces

It would have been fine literally everywhere I've worked.

I'm not saying there aren't places where this can be an issue. Partly this seems to depend on the region – in the US, in particular, it seems to be a big no-no, which I find odd considering how fucking often fuck is in fucking American media – the fuck is up with that? But outside of that? It seems to be mostly a non-issue.

freedomben
0 replies
13h3m

Probably because the US does have a pretty wide diversity, particularly when it comes to religion. In some areas you'll find a lot of Mormons (who are greatly offended by "fuck"), and in some Christians (where some denonimations don't even like the word "crap" let alone "fuck"), in some Catholics who generally don't seem to care (I've heard some Catholic priests let loose some pretty blue streaks lol), and all kinds of others. Then there are people who aren't offended, but don't want to talk that way in front of their kids and don't allow their kids to talk that way. In a workplace in the US (where you can't discriminate based on religion as it's a protected class), it's a very bad idea to use that kind of language unless you know everyone around and you know that they don't mind. Even then, be aware of who might be nearby enough to hear. Getting an HR complaint against you for dropping an f-bomb is embarrasing and not very fun.

wtallis
0 replies
16h54m

If I'm in a situation where I need to recommend a browser extension to my parents to workaround UI dark patterns, I think we'd all be reassured by an extension name that makes it clear the author has the right attitude toward those dark patterns.

Let's not pretend there's anything polite about user-hostile UIs.

kstrauser
0 replies
16h49m

It’s not just you. You summarized my own feelings quite nicely: it doesn’t bother me a bit, but I wouldn’t recommend it outside informal circles.

zettabomb
0 replies
17h19m

IMO the very act of disabling paste is far more offensive but I get it. Not my project to change unfortunately.

vault
6 replies
9h35m

Anyone one else noticed OP got 399 upvotes for sharing a fork with no significant upgrades compared to the original repo?

zettabomb
0 replies
4h43m

The fork is for supporting Firefox, which I consider to be a significant upgrade as I don't use Chrome in the first place. You can see the original repo easily, but it's far more annoying with GitHub to find a particular fork. I can keep it to myself next time if it offends you that much though, no reason to tell other people on HN about something I found interesting.

mrunkel
0 replies
8h43m

Well, this is for firefox, and the other is for Chrome, so maybe that's a significant upgrade?

luzojeda
0 replies
5h29m

IMO upvotes are due more to a "Yes, I agree, hate when that happens" than a "Thank you for this useful tool OP"

delegate
0 replies
9h3m

Oh yes, 3 files changed compared to parent and the changes are gitignore and updated URLs to the forked repo.

MezzoDelCammin
0 replies
8h57m

yep. Quite the WTF

Aissen
0 replies
7h33m

Original repo author rejected the PR for Firefox support, so the owner of the fork did just that - fork to add 6 lines of manifest:

https://github.com/jswanner/DontF-WithPaste/pull/29

(I admit though that the unrelated .gitignore change had nothing to do in the original PR)

oldandboring
6 replies
3h30m

I welcome this extension as I, too, hate when sites prevent me from pasting (eg. to confirm my account and routing number, email address, etc). It fucks with my password manager and of course it's annoying when intricate password rules are implemented to counter the use of weak passwords. BUT. Yeah there's always a but.

But. I have implemented these exact security measures into web applications. I've been handed the requirements and I implemented them. I asked my client why we had to do this, when "everyone" knows that this stuff is terrible user-experience and can backfire spectacularly for security (the same people who would memorize a shitty password and use it everywhere, will now write their expiring, "strong", impossible-to-remember password on a sticky note or save it to a text file or spreadsheet called 'passwords.txt' on their Desktop). The answer is: we have to, for compliance. To pass a security audit. To prove to some major client or insurance company that we have a number of industry-standard measures in place to improve security. Unfortunately, your bank does not care about the 2% of us using password managers. Everyone else is still memorizing passwords, forgetting them, and making jokes about it like it's 2003.

fredcy
2 replies
2h0m

Our PCI-compliance audit dings us for not disabling autocomplete on the login form fields. That's not the same as disabling paste, but heading that direction.

For personal use I just abandon any site that won't let me use my password manager (Bitwarden).

kalupa
1 replies
1h45m

you just abandon banking websites?

toonalfrink
0 replies
26m

Not that hard nowadays to switch to a decent developer-led neobank

hartator
1 replies
3h18m

The answer is: we have to, for compliance.

Do they?

I don’t remember seeing any compliance requirements you can’t reasonably push back. This is just overzealous compliance consultants meeting a team that doesn’t really care about their users. People never really question anything.

alex3305
0 replies
2h23m

Do they?

Probably not. In my experience most standards are pretty broadly defined with hardly any technical requirements.

For instance in ISO 27001 it states that you should create awareness in your organisation about information security. A very minimal way is to send a mass email to everyone in the organisation or hang up posters in the office. But I also spoke to someone that was determined that a half day security awareness training was minimally required.

adolph
0 replies
1h40m

You know that if paste-blocking countermeasures get too popular then the same sites will just implement virtual keyboards.

But I guess if that is to easy for folks with touchscreens then next will be the virtual mouse to click the virtual keyboard. Maybe add a randomly changing acceleration factor to the mouse to tell human and computer apart.

dugite-code
5 replies
16h57m

Bookmarklets are seriously undervalued. This is a simple and more importantly readable fix for the issue.

reticulan
1 replies
16h35m

i don't think they're undervalued compared to userscripts (with a dedicated extension for managing them).

NewJazz
0 replies
16h18m

Wonder if home-manager does user scripts.

evgpbfhnr
1 replies
14h59m

I wish firefox would let the wonderbar '*' search feature work with bookmarklets... As it stands I have a few I'll never use because they're 4+ clicks away with no typeable shortcut.

ringer
0 replies
9h43m

You can define a keyword for this, eg. ctrl+l - `ks` (kill sticky) - enter. It has some backwards because you still can't search by name and you have to remember the keyword and there is no auto-complete, but once muscle memory gets used to it, it works pretty well. I use keywords for bang searches (!keyword search term) and bookmarklets too.

- https://support.mozilla.org/en-US/kb/bookmarks-firefox#w_how...

al_borland
0 replies
16h9m

I really wish bookmarklets caught on more. They can provide a lot of the value of extensions, without running all the time and bogging down the browser (or tracking the user around the web). The lack of persistent tracking is probably what led companies like Amazon to abandon them.

moralestapia
4 replies
17h3m

Thanks for this!

Also related,

Who t.f. thought that

* Ctrl-V should be "paste with format"

* Meta-Shift-Whatever-Ctrl-V should be "paste without format"

I've never EVER had the need to copy some text and paste it with a different font face, color and ffs background color ...

Who is the genius UX expert that decided on this abhorrent behavior?

maple3142
0 replies
10h56m

Paste with format is actually usefull sometimes. For example, you can copy from vscode and paste into Microsoft Word, then the resulting code will be property formatted and highlighted.

kayodelycaon
0 replies
16h42m

It’s beyond aggravating. I use a clipboard manager (PasteBot on macOS) set to paste plain text by default. I can pop open the history and do command+enter to paste the rich text version.

fiddlerwoaroof
0 replies
16h24m

I don’t think it’s as simple as this: it’s annoying in the context of text editing, but when you’re dealing with spreadsheets or file managers or copying from an spreadsheet into a document or an image into a document, the rich object behavior makes a lot of sense.

I vaguely remember that really old versions of windows had a “live paste” feature where if you copied a range from a spreadsheet and pasted into a word document, the pasted object would update when you changed the spreadsheet

Solvency
0 replies
17h1m

I guarantee it's the guy who invented rich text fields and he just big dicked the fledgling UX team and because Big Development is incredibly paternal these crappy UX patterns never go away.

lolinder
3 replies
16h49m

For something simple like this that doesn't really need to be on all the time I've started leaning back towards bookmarklets over extensions. The code is usually simple enough to actually audit, it only runs when you click the bookmarklet, and it doesn't update underneath you without warning.

A few months back someone shared several bookmarklets that they use, one of which was a simple one that disables all clipboard events on the open tab:

https://news.ycombinator.com/item?id=38014653

eviks
2 replies
15h26m

But then you need to click

Also you can get the extension loaded locally, and it will never update

lolinder
1 replies
12h56m

I run into one of these broken-clipboard situations once every few months, I can afford to spend an extra click in order to not have an extension active on every website I ever visit.

eviks
0 replies
11h48m

It "ensure the extension is only running on sites that are bad actors with copy & paste events a", so what exactly can you not afford?

js2
3 replies
17h13m

For Safari you can get Don't Fuck with Paste (and lots of other Don't Fuck with X options) with the Stop The Madness extension.

https://underpassapp.com/StopTheMadness/

stefandesu
0 replies
7h18m

Came here to post this. It also works on iOS and on Firefox/Chrome on macOS.

lancesells
0 replies
16h23m

I was going to mention this but glad I found it. Great extension for Safari. One of the greatest things about this is you can change the options per website. So if you use something like Notion you can use their shortcuts just for their website and the default browser ones for everything else.

jiveturkey
0 replies
12h12m

ty!

I use both safari and chrome (and dabble in FF), and in my safari usage I haven't actually come across sites that disable paste. I kind of assumed this was built-in to safari, but I may just be getting lucky.

But the best feature of StopTheMadness is that it defeats the google link tracking! I've so missed that feature of whatever chrome extension I was using.

assimpleaspossi
3 replies
10h25m

Do we really have to put up with vulgarity even on HN?

It's bad enough to see it in the title--cause someone will say that's what the title is--but, as can be seen, it breeds unnecessary vulgarity throughout this thread.

To see the irony of it all, I'll get fucking downvoted for fucking complaining about this fucking shit and maybe get really fucked up by getting fucking banned.

Do you get my fucking point?

mtlmtlmtlmtl
0 replies
9h8m

I don't understand people who give a shit about vulgarity. And more importantly, people that expect other people to adjust to them. They're just fucking words. Lots of little things about the way some people write or speak may annoy me, like their dialect or some word/phrase they use too much, but the adult thing to do is to fucking deal with it and keep it to yourself. It's your problem, not everyone else's.

jjgreen
0 replies
8h49m

You kiss your mother with that mouth?

geraldhh
0 replies
9h48m

vulgarity in the tile makes sense, in your comment not so much.

if you don't get the point you may gtfo or make new account

nedt
2 replies
7h2m

In case of not being able to past I normally right click -> inspect element and in the console write $0.value="value from clipboard". Works almost everywhere.

Tampering with paste is kinda is like turning of autofill and the HTML5 standard is pretty clear when it should only be turned of: ".. particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) ..."

causal
1 replies
3h53m

That plainly seems like a mistake in the standard that harms security. What's the reasoning there? That somehow human fingers are less prone to error than password managers?

The only thing I can think of is malware changing the value of the clipboard to fool someone into pasting the wrong thing - but if you open that scenario then you've got all kinds of ways malware could mess with a manually typed field too.

nedt
0 replies
3h19m

I see I was missing an f in off. The standard says unless it's an interface on a WMD or similar let the browser autofill. The part of one time passwords that might have been indeed obsoleted by 2FA. On the other hand we might still want a single user interaction there even if it's just confirming the full value instead of typing in the 6 digits - much like passkey is doing it.

megous
2 replies
17h23m

Used to be simple to workaround this with basic web APIs (el.value = 'whateverIwant'), until this newfangled web framework from Facebook broke the web.

alisonatwork
1 replies
16h53m

This. One especially infuriating trend appears to be not even using the HTML input box at all, the JavaScript just intercepts the keydown event which then (deliberately?) triggers a slow calculation before eventually rendering a star in the text-field-that-actually-isn't, breaking even "auto type" solutions. So you sit there like an idiot every time you log in, with your password manager open and password unmasked, copying each character, laboriously, one-by-one. I can't fathom how this sort of thing gets by management, who are presumably told it increases security, but then apparently never actually try to use the end product.

Even worse is when the suggestion comes to use an app instead of the website, and then the app comes with its own dedicated keyboard that isn't your own phone's keyboard, because "security" and then they scramble the position of all the letters and numbers, making it even slower.

benmanns
0 replies
16h34m

Ahh 00s/10s era ING Direct and TreasuryDirect. I think TreasuryDirect finally dropped the virtual keyboard in the last couple years.

afandian
2 replies
11h7m

Has anyone else noticed that copy / paste on Mac OS / Firefox has become unreliable some time in the last 5 years? I don’t know if it’s Firefox or Mac OS but I’ve started finding it copied the wrong thing or ignored a copy command.

yungporko
0 replies
11h2m

pretty sure it's macOS. i don't use firefox but id say roughly 4/10 times i try to paste something i just copied, the clipboard is empty and i have to do the whole thing again.

marcosdumay
0 replies
2h16m

I've had VirtualBox clipboard integration failing, and I've had Firefox refusing to let sites add things into the clipboard by Javascript.

But in my experience, local Crtl-C Ctrl-V is flawless on Linux / used to be X11, now Wayland / KDE / Firefox.

MaxikCZ
2 replies
9h46m

Is there a way I can tell my browser to always force draging over text to secelt that text, regardless if its a hyperlink?

flyflyFenix
1 replies
9h42m

Hold alt and then select text with left-click drag. It works most of the time. Enjoy :)

out-of-ideas
0 replies
9h24m

key words: most of the time

like when you get trolled by Atlassian's crap tier website where the wiki/jira-pages do not allow selecting some text blocks (and makes it even harder to tell somebody to browser-page-search for a particular string)

2024throwaway
2 replies
5h10m

I use Hammerspoon for Mac, have a shortcut set up for Cmd+Shift+V to actually type the letters rather than use the paste function. Works every time someone pulls this stunt.

hs.hotkey.bind({"cmd", "shift"}, "V", function() hs.eventtap.keyStrokes(hs.pasteboard.getContents()) end)
reaperman
0 replies
1h29m

I also do this with AHK on Windows, even using the same keystroke. Though I add a small 10-50ms delay between each keystroke, otherwise the input can get mangled sometimes.

brushfoot
0 replies
5h2m

I do the same with AutoHotkey for Windows. It's also come in handy in remote connection GUIs that default to the remote clipboard and legacy desktop applications with controls that don't support pasting.

whywhywhywhy
1 replies
7h19m

Find it utterly infuriating when devs feel the need to disable me autocomplete settings, spellchecking or paste.

Like I have a setting to auto insert my email if I type @@ and so many input fields have text complete disabled somehow despite me using it as a sure fire way my email is correct.

Disabling spellchecking or rolling your own spellchecking is the most egregious of all

tracker1
1 replies
8h58m

This really irks me to no end with password managers in particular. I like to generate 30 character random passwords and sites that limit input or block paste in the verify field are particularly annoying.

Similar for login and 2FA entry fields. There's no good reason for it.

I've often gone an extra bit to ensure password managers work well. I wish more sites would do the same.

ggrelet
0 replies
8h23m

I find passphrases to be better at tackling this exact scenario (and others). The password is long and secure but easy to type because it’s composed with actual English words.

reilly3000
1 replies
12h15m

Blame ACH. It’s a putrid protocol that is far easier to get wrong than right. Once that daily file is pushed it’s a dozen people’s time to hope to fix a failed transaction, and there is no guarantee that the money will stay where it wasn’t meant to go. It’s one of those things the leaves you feeling “this needs to be better” yet it moves more money than almost any other means. All the upfront friction on users is to get it right should be some indication of what a catastrophe it is to fix.

cubancigar11
0 replies
12h10m

Upi fixes it, but has cultural resistance in the west.

phyzome
1 replies
16h5m

A couple alternative ways to paste, at least in my current Linux environment:

- Paste the text somewhere else, then drag it onto the text field

- Highlight the text elsewhere, and middle-click on the text field

I've only ever found one site that blocks both of those too.

aitchnyu
0 replies
7h39m

[picks up chunks of brain off the ceiling] Just tried: Bitwarden allows dragging and dropping (hidden) fields into text boxes.

mr-ron
1 replies
14h48m

Any time im in this situation i just go to the Menu > Edit > Paste.

Usually any overrides are preventing CTRL > V

Am4TIfIsER0ppos
0 replies
8h33m

A menu? We have no need for such outdated shit in CURRENT YEAR.

- Sincerely every browser maker since 2010

cyber-nic
1 replies
11h31m

Extension for this might be a little overkill.

Copy whatever you want to "paste" in the URL bar. Then select that and drag it into the input that has paste prevention.

Ringz
0 replies
6h34m

What happens with the url? If it’s gone will the form work as intended?

SubiculumCode
1 replies
16h49m

There is one thing I hate more. Its having my cursor moved to another application as I am typing out a password in a field. I've literally had to change a password after it suddenly got sent out in a google search when I wasn't paying attention.

eviks
0 replies
15h21m

Stealing focus should be a misdemeanor! unfortunately it's a pervasive UI flaw

Solvency
1 replies
17h4m

How about an extension that STOPS websites from NOT letting me right-click. When a site forceS me to go through the stupid Chrome menu to laboriously drill down and find Developer Tools manually I want to throw it out the window.

visarga
0 replies
8h52m

My peeve with copy&paste is that it often fails to copy, not to paste. I sometimes need to copy three times until I succeed a paste. Does anyone see this problem?

seqizz
0 replies
8h42m

Alternative for linux users, which "types" the thing on clipboard to the window you select:

    alias pasteplease='xclip -selection clipboard -out | tr \\n \\r | xdotool selectwindow windowfocus type --clearmodifiers --delay 25 --window %@ --file -'

seiferteric
0 replies
17h2m

Also annoying, not labeling your inputs right so auto-fill doesn't work.

quitit
0 replies
9h18m

For mac/iOS users on Safari, Firefox or Chrome: StopTheMadness is also a handy utility that tames these and other website bad behaviours.

https://underpassapp.com/StopTheMadness/

pluc
0 replies
6h52m

Just turn off Javascript with No-Script and selectively turn it on.

It makes the web such a better place.

pjerem
0 replies
11h19m

Fucking with past is gruesome.

Breaking back button is infuriating.

Yesterday I stumbled upon something even worse : breaking CTRL+F to replace it by a custom search. I know Google Docs / Drive does this but I tolerate it because classical ctrl+f doesn’t even make sense on their apps but here it was on a forum. I knew what a searched was on the displayed page but no, they forced me to search on the entire hundreds pages of the topic.

[/rant] Sorry.

novoreorx
0 replies
38m

I find it more annoying when a site prevents me from copying content from it, is there a sibling project called “Don’t fuck with copy”?

nico
0 replies
17h2m

Love this

Copy and pasting is such an essential part of everyday computer usage

Also can relate a bit as a developer, recently been struggling trying to get scrolling paste capture on a remote terminal with ncurses (wide lines, long texts, utf8 characters, can all be tricky)

mattmaroon
0 replies
16h30m

Been using this for awhile. It works.

kylecordes
0 replies
17h11m

I use this similar but even older tool, which still works. This one is Mac-specific but works across most/all apps, i.e. not a browser plugin.

https://github.com/EugeneDae/Force-Paste

jordanpg
0 replies
2h52m

Somewhere on this site is a developer who thinks this is a good idea. Or whose boss thinks this is a good idea.

I'd love to hear a defense of this practice.

j1elo
0 replies
2h21m

Merging the bookmarklet version of the upstream addon this one is forked from [1] and another bookmarklet that has been posted in comments here [2], I got to this:

    javascript:['copy','cut','paste','contextmenu','selectstart'].forEach(e=>document.addEventListener(e,e=>e.stopImmediatePropagation(),true));
Right now I cannot think of any page that inhibits pasting, what is a good candidate to test this out?

[1]: https://github.com/jswanner/DontF-WithPaste?tab=readme-ov-fi...

[2]: https://bookmarkl.ink/ashtonmeuser/6e3869d8e468e016f22a4b4de...

iansinnott
0 replies
16h24m

100% in agreement with regaining paste. Another workaround is to create a macro that will "type" the clipboard contents, simulating typing it out by hand.

On macOS you can do this via Keyboard Maestro [1]. Create a macro with the action "Insert text by typing" and for the text to insert use `%PastClipboard%0%`.

Yes, very niche, but I'm sure some HN users already use Keyboard Maestro.

[1]: https://www.keyboardmaestro.com/main/

graynk
0 replies
5h40m

I normally just inspect the element in dev tools and disable the attached paste event handler. Not the most convenient way, but also I don’t need to do it all that often

gnyman
0 replies
12h19m

Another app/extension which fixes this and a lot of other things the aptly named StopTheMadness https://underpassapp.com/StopTheMadness/

(No relation other than being a happy user)

fortran77
0 replies
3h48m

My HMO does this, and I've complained year after year.

They also specify a limit of 15 characters in the text above the "change your password" field, but it actually is limited to 14 characters.

Imagine the frustration when you type in a 15-character randomly generated (from a password generator) password twice, and then have the system reject it because it is too long!

If I ever have any extra time, I'll see if I can sue Sutter Health for an "ADA" or similar violation over this.

eviks
0 replies
15h23m

At a more general level you can use a keyboard remapping app like Keyboard Maestro on a Mac and Autohotkey on Windows to insert text by simulated typing, though it has the downside of requiring a different shortcut

est
0 replies
10h28m

I think browsers need to implement an optional <body onload="disable_javascript()"> feature.

Stop js shit after the page loads complete. Only enable js when user interacts with a button or something.

drey08
0 replies
16h16m

In a similar vain some of the AWS console pages make it hard to select text and use ctrl^c to copy it. It often deselects the text as soon as you hit ctrl. It is extremely irritating.

datavirtue
0 replies
16h29m

I was paying my real estate taxes recently and the payment processor chosen by the county wouldn't let me paste anything. It was fucking bananas. I had to type in bank account numbers and routing numbers. None of the form filling worked. I was paranoid the whole time about entering the wrong data, and I wanted to punch someone in the throat for that bullshit.

bluish29
0 replies
9h57m

For me this is annoying and I really hate websites hijacking paste. But it is more annoying on the phone specially when creating passwords with password manager. Does anyone know something that will work for safari?

blkhawk
0 replies
9h1m

This is why I build an external password thing that emulates a keyboard. Nothing some stupid braindead "security" implementation can do to prevent that from working. It does TOTP too. I had fun with hooking it up to my phone via BT for proximity unlocking. Part of its secret lives on the phone.

I wouldn't say it very secure since i didn't bother with implement a proper asnc encryption for the bt part. And its still vulnerable to a variety of evil maid attacks. My threat model doesn't involve that to ever matter. It should be practically fully resistant to remote full-take attacks.

amarant
0 replies
6h41m

Tangential at best, but this project made me think of evilpass, which is the funniest password validation scheme ever!

It probably does increase security, but it also gives the impression of actively hacking you.

https://github.com/kitzin/evilpass

alwayslikethis
0 replies
3h13m

This should really be a browser config option or context menu item, among other things. Browsers today take far too much control out of the user to allow web developers to create hostile websites.

- Force select

- Force copy

- Force paste

- Spoof tab visibility ("Don't make me watch" extension)

- Force right click (Firefox has this)

a1o
0 replies
17h27m

Last commit is 4yr ago but I remember using this in the past

Fnoord
0 replies
9h48m

Hmm, if it JS, don't allow JS by default? uMatrix for example works in that regard.

DinaCoder99
0 replies
16h53m

I've found you can also just disable javascript, paste, and reenable javascript again.

BeefWellington
0 replies
16h16m

Firefox has some about:config settings for this:

* dom.event.clipboardevents.enabled

* dom.allow_cut_copy

And also, the ability to force a paste as plaintext or force right-clicks to behave properly by using shift.

2d8a875f-39a2-4
0 replies
11h41m

Should be more like "don't fuck with anything".

0xfaded
0 replies
15h10m

Omg I was being interviewed on coderpad today and something was eating my ctrl-c. So frustrating