Hey front-end folks, just a quick note. Never ever ever ever ever mess with my browser. It's not yours, it's mine. I'm letting you use it for free to render your bloated sites.
As if any front end developer came up with this. Anyone who has ever had job in the industry knows this is straight from management.
I would think management can't be that adamant about not letting users copy-and-paste... I would also think front end folks should try saying "no" to at least some of those silly requests
Large corporate/government IT lives on another plane of existence. Rules are made in some far-flung office and enforced through edicts that can't be challenged, partly because nobody knows exactly who created them, partly because nobody wants to stand out, and partly because yes-men surround the upper levels of management.
Anyway, somebody somewhere about a decade ago seems to have injected into the heads of such rule-makers that users who paste their password confirmations defeat the purpose of the confirmation mechanism, which was leading to excess support requests for forgotten passwords. So, therefore, pasting into the confirmation box (or even better, both boxes) should be disabled.
Never mind that password rules have gotten more complex, that allowing users to temporarily preview their passwords instead is now recommended, or that the use of password managers and online password resets means even if the original concern were valid, it's now moot. The rule exists, and so it must be followed.
At some point these corporations do lurch forward (or die), so eventually this will get changed, but it'll happen way slower than it should.
Honestly, 1Password (& co.) should have an option to "Type password" next to "Paste password".
Prevent that, you stupid website, I dare you!
It does, actually. (At least the old self-hosted version that I still use does. Don't know about the newer one.)
Fwiw keepass and keepassxc allow you to do this.
This shit is usually from "security" which, in corps, is just endless list of boxes that you need to check and are handed over manager to manager. Everyone is scared to actually remove anything from the list because nobody knows who is actually responsible for maintaining it; getting through the hierarchy to even find such a person would take a month; if you find him, he will tell you "oh it's for compliance with <some mysterious government/iso/owasp document that's 20 years out of date>, safer to keep it there"
Exactly, good luck convincing management not to do something that the infosec team suggested even though it provides an insignificant amount of security. The hackers you really have to worry about aren't using your front end, they're submitting directly to your endpoint to bypass exactly these kinds of things.
That one may be coming from the InfoSec guys.
"Infosec mill agency that looks for easy wins to justify the high price tag they charge enterprise clients like Broadcom"
FTFY.
Disabling copy-paste is exactly the kind of thing that a higher-level manager sees on some website, decides immediately that it’s very important for content protection and IP and trade secrets and whatnot, then emails a middle manager to have this implemented ASAP. A week later the request has filtered into a ticket that lands in the front-end developer’s inbox.
What should the developer do exactly? Ignore the ticket? Educate the manager who’s perhaps three steps up in the hierarchy and doesn’t even know the person’s name who is charged with implementing the misfeature? Neither would go down well.
Not in my experience, and not for trivial things like this. I'm sure this varies widely with employer, location and life situation, but generally these kinds of annoyances are both far from the worst that people need to do / tolerate, and that they don't have any say in what goes into the product, they either implement it, or someone else implements it and they can go work at someplace else if they don't like it.
I do some front end work. I push back on things and win some battles re-directing them, but ultimately if the client pays to do a stupid thing, they get the stupid thing. It is their website, not mine.
I can't imagine any front end person spending extra time blocking the paste function when nobody asked them to do that. This may also come as a surprise, but sadly management and infosec doesn't always take advice from the front end developers.
This isn’t a front end dev problem.
You can say no but management isn’t under any obligation to capitulate, and often won’t.
More over, it’s often solutioneering as a result to some other management identified issue that devs have pushed back on.
This is the imbecile's solution to people pasting in their passwords from a text file. Except some people paste them in from their password manager.
Also, the error he got when he tried to put in the password the first time is likely because there's a mismatch between what it claims the password rules are, and what they really are. He might have exceeded the maximum password size (yes, I know they're supposed to be salted in the backend, and maybe then even are, but you still run into this). Or it might be that he used disallowed punctuation (some sites seem to dislike anything other than question marks and the ones over the 1-2-3 keys... I've personally seen the percent sign and ampersand both cause problems.
If there were some little embedded xml file that my password manager could pull from the page automatically that would tell it what the rules are, then I wouldn't have to debug your shitty account creation systems, nameless developer drones out there working for big companies! Not that you care.
Hm? No, it really did come from a front-end person.
There was a period in the late-aughts when people wanted to emulate the iPhone's inertial scrolling on the desktop. Most modern sites had it and it was infuriating.
That's probably around the time when this site was built.
I'm thinking you may not have made it all the way to this part of the article when you were reading it, but here's the rest of the context
Forcing the user to type the password manually rather than letting them paste something in. I think the original idea was to not allow them to mistype the first one, then paste the typo in the second field. But it's a dated practice and very annoying.
I once worked on a project for a Pharma company and this one guy tried very hard to push his password requirements and no pasting stuff, but luckily we convinced someone with final say that we should just follow the NIST guidelines for password reqs and leave the UX of the password field up to the UX people lol.
I do agree though that smooth scrolling was a front end developer offense, luckily it went out of style pretty quickly.
correct. the other analysis here is wrong. we see similar for payments where user is not allowed to paste in ACH info.
but this isn’t exactly about user error per se. this is about support cost for bad entries. if the user types a wrong password during registration the recovery of such is very hard. the common user (even of a product like fusion) is VERY unsophisticated and will have severe problems recovering. the more advanced user will have plugins that disable paste disabling. the middle skill user (like in the post) will get past it on their own.
so net net this is just another case of this is why we can’t have nice things. they “have to” address that bottom (skill) level of users.
personally i can excuse this. the rest, not so much!
I think we can go another level up though: why are browser vendors allowing it if it's verboten — if they make it possible, someone will use it.
No one's going to risk their job over their boss's inane request to break copy & paste.
yeah I can't really think of a good use case for blocking paste. the Clipboard API is useful in general though and a good addition overall even if some people misuse it.
As I understand it, you need to be able replace the paste command with your own custom thing for stuff like Google Docs. But then you can always just replace it with a no-op.
I wonder. In my experience, all Indian news media outlets (except two) hijack the clipboard. If you select and copy an entire paragraph, in your clipboard, you get only the first few words and a link to the article. While I hate it, and think they are being hostile to me. I think they are catering to a usage pattern, that if you paste that stuff in WhatsApp, the readers would definitely get a link to the article. Traffic guaranteed.
Side note on this clever work around https://github.com/aaronraimist/DontFuckWithPaste
This edge is a greatly under-acknowledged and under-represented boundary of propriety, and is routinely flagrantly and hypocritically overrun by organizations with legions of attorneys who fight tooth and nail to stake their claims in the providence of others.
The close cousin is the "click-wrap" agreement, which should be the very first point of engagement for access to any resource that employs it, but is perennially represented as an afterthought which a priori deprives the visitor of recourse from his later exploitation using the form of a "contract" which is fully understood by everyone to not be read, is written in gibberish, and placed at the very end of a primrose path of necessity for access to one's own labors.
A huge warning sign of the intrinsic rentier dynamic of the high technology industry has been built into every PC since the dawn of the era and on prominent display: the "Welcome" screen. You think you are being warmly greeted upon arrival to the cusp of a vibrant commons, but you are actually being told in no uncertain terme that the PC you just bought was pre-appropriated by its software. The purchase price is rent. The device is your property only in the sense that you own the direct costs of its failure and disposal. You are given an account with limited access to its capabilities and being permitted to access it under the auspices of your hosts. Your work is without value to your hosts. The device is a conduit of your continuing consumption, controlled as tightly as possible, which with every step into its labyrinth further reduces, limits and degrades the value of your work to you, and shifts its value to the device purveyors.
This hazard is conventional to the structure of every web service today, including this one: your data (work) goes in and never comes out. It's trapped in the dynamic and context maintained by the host.
No social media architecture today respects your work in context, including this one.
Your comments should belong to you, be hosted by you, and maintained in a mutually shared and beneficial context. But instead your comments go into a black box which you are permitted to review, in exchange for locally issued currency called (tragically) "karma" which is a simply a mechanism for limiting your visibility within a hopelessly regressive and passé format of a reverse-chronologically ordered list of the popular. Everyone on the social web is a serf, tilling a text box, and sharecropping status.
My making an example of HN not to call it out for being egregious. HN is completely ordinary. I'm merely offering an example for how totally indoctrinated the technogentsia is to these dark patterns of social networking architecture and how blind everyone is to them.
It's pretty weird that these dark patterns are so pervasive when you consider that the ideological bent of most computer technologists is "libertarian".
But I should note that California ideology is inherently Randite, and Ayn Rand was a deeply disturbed person.
With transformer AI we have now seen that every human input on the web has specific economic value which is being aggregated and harvested towards the creation and consolidation of enormous kingdoms of social wealth and privilege. This is being done completely without regard for the principles of propriety that software and MSM content publishers have represented through law as being essential to the construction of a commonwealth.
Every output of a transformer is a derivative work without even attribution, much less royalties.
And the AI technologists seem poised to have transformers run interference at every level of "customer" interaction with new architectures.
The more you look into it, the more you will see that high technology has been an epic swindle to transfer control of a commons to narrow silos of exceptional privilege, in which not only does the commonwealth shrivel in exchange for the tech's very limited public advantages, but the vehicle you use for your contributions endlessly deprives you of the just fruits of your own labors, encircles you with infrastructure beyond your reckoning, and enforces your conformance to alien protocols via dark patterns.
Much as automobiles make every destination into a parking lot, so the web browser has made every avenue to knowledge end in a gate which is ever further obfuscated into an opportunity to withhold something of value from the visitor, including the value of your own work in context.
"Welcome."