return to table of content

The web's clipboard, and how it stores data of different types

cebert
21 replies
3d6h

Nice writeup. This explains why I have issues trying paste with/without formatting on Firefox on my Mac in Google Docs. It’s interesting that Google is using a deprecated API to add their own content type format to the clipboard.

throwaway48476
20 replies
3d1h

At some point the Google web should be declared an official fork of the web.

dumbo-octopus
17 replies
3d1h

If some bigwig has marked an API “depreciated”, but hasn’t provided a viable alternative and the user experience suffers when user agents stop allowing their users to invoke the helpful functionality, the agents who do let their users do what they want are not the issue.

RajT88
11 replies
2d18h

Nitpick:

Depreciated means gone down in value.

Deprecated means made obsolete.

I hear this all the time at work. Drives me nuts.

ggm
10 replies
2d17h

Join me, and we can form an army. We need to solve this, and "learnings". I think it's possible this becomes the Butlerian Jihad but without spice.

defrost
4 replies
2d17h

You want spice?

Irregardless, I could care less.

colecut
2 replies
2d13h

That's literally bonkers

ggm
1 replies
2d13h

Literally, Figuratively, Virtually and Actually. Great words, frequently misused.

I also adore "very unique"

colecut
0 replies
1d17h

"Literally" has been abused so much that they have officially made an informal definition of it to mean "figuratively."

Which means "literally" is now its own antonym. Pretty wild

anileated
0 replies
2d14h

As long as you have the codes!

JadeNB
3 replies
2d16h

We need to solve this, and "learnings".

What is "learnings"?

quinndexter
0 replies
2d15h

Exactly.

defrost
0 replies
2d16h

A pluralization once popular in 14th Century Middle English that died out until ressurected in central north American business English.

In 2016 Grammarist was to the point.

    "Learnings is a pluralization of an erroneous form of learning as a singular noun. Said singular noun (e.g., a learning) does not exist, at least according to most dictionaries. Colloquially, especially in the medical field, learnings means specific items that were newly discovered or learned."
https://www.quora.com/What-is-the-plural-form-of-learning-Is...

they're since softened that stance and now discuss how it is poorly used.

https://grammarist.com/usage/learnings/

Joker_vD
0 replies
2d6h

The word invented/resurrected, for some reason, to replace the word "lessons".

layer8
0 replies
2d4h

Add “asks” to that. And “compliment” vs. “complement”, “affect” vs. “effect”, and so on.

kevingadd
4 replies
3d

I miss the flash player and unity player plugins too. Remember how powerful activex was?

robocat
2 replies
2d19h

The main issue with powerful tools is that they get used against you by threat actors.

Our society sets limits based on the most selfish. Our computers get limitations based on the most effective threat.

dumbo-octopus
1 replies
2d15h

The only “problem” with the clipboard API is shitty applications blindly trusting client data.

talldayo
0 replies
2d19h

The only thing wrong with all three things you mentioned is that they're proprietary. Google is not holding the web hostage with W3C standards.

ivanjermakov
0 replies
2d7h

Considering Chrome influence, this might drive non-fork web obsolete

calvinmorrison
0 replies
2d19h

whats wrong with a language that has only one VM? Do we really need 5 VMs?

38
14 replies
3d3h

rich text content should never be the default paste. just give me the damn text I copied

Sayrus
5 replies
3d2h

For what it's worth, Ctrl/Cmd + Shift + V will paste the raw clipboard even if a rich format is available.

zie
4 replies
3d2h

I just paste through a plain text editor(i.e. paste into a plain text editor, verify and copy the bits I want, then paste it in it's intended destination). I know not ideal, but at least that way I can see and verify everything before pasting it somewhere important. I'm sure there are some hacks one can do with rich formats, that some people might try to take advantage of.

rzzzt
1 replies
2d22h

But do you press Ctrl/Cmd + C three times or more to make sure it takes effect?

threecheese
0 replies
2d19h

Why are you watching me???

gwervc
1 replies
3d1h

I do that within a new browser tab url bar, since the shortcut is quite annoying to type.

pests
0 replies
2d23h

Sending your clipboard data to Google if you have predictive type on

eyelidlessness
3 replies
3d1h

Software (OS, browser, native apps, web apps, …) should make it easier to use plain text for both read/write clipboard operations. And probably should make it easier to prefer doing that.

I know that’s a lot more words to say a similar thing, but it avoids two problems with how you put it:

1. Not everyone will share your preference. (I’d hazard a guess that it’s a minority preference, albeit one I mostly share.)

2. It’s self-contradictory. The “damn text I copied” is not just an array of characters: it often includes formatting; it frequently interpolates other content that isn’t even text at all.

The latter is largely the basis for the former. You—and I, mostly!—might be after that array of characters. But many many people are after that richer content, and would be utterly baffled by copying something rich only to get that array of characters on the other side. And quite a lot of people would have little recourse to get what they want.

This is why the multipart clipboard solution is a pretty good compromise. It could be better! It could definitely accommodate the preference for plain text. But it can only be better for those of us with that preference, without regressing for the much more common preference, by keeping the common preference as default.

taejo
2 replies
2d19h

Part of the problem is a poor (or insufficiently DWIM) implementation of rich text copy-paste. If I copy text that has some parts bolded or italicised, that is indeed "the damn text I copied". But the fact that the source website happens to be 12pt blue Verdana should not override the fact that I'm writing an email in 11pt black Arial.

In many cases I do not particularly care whether an email is in 12pt blue Verdana or 11pt black Arial, I absolutely care about there suddenly being a big blue word in the middle of my otherwise-consistent paragraph.

So neither "rich text" nor "plain text" are really correct: often plain text is good enough, but sometimes it's easier to correct the rich text.

ygra
1 replies
2d10h

It's probably a hard problem to solve generically. Word has a little popup when pasting where you can select how you want that paste to be applied: Just text, text with its original formatting, or formatted text, adjusted to the document styles. So far I've used all three, so I guess there's no answer that fits all use cases.

robertlagrant
0 replies
2d4h

Yes, I was going to say the same. Word (incredibly) gets this right.

nyanpasu64
1 replies
2d20h

My problem with rich-text paste is that it transfers unwanted presentational formatting, resulting in mismatched fonts, sizes, and typography. I generally either want plain-text paste or preserving semantic elements (like bold/italic emphasis, links, and bullets).

More generally, when editing a document I want to be able to view both formatted text and "escaped" contents (like "view source"), and when copy-pasting or saving text, I want to be able to convert formatted text into "escaped" text to diff, and also paste text without misinterpreting asterisks and angle brackets as formatting information (until I explicitly copy text as source and paste as formatted).

bobbylarrybobby
0 replies
1d14h

Copying my comment from above here because you may find it helpful:

I use Obsidian for note taking, and discovered one very useful feature: if you paste formatted text, it removes everything except what can be handled in markdown (approximately, things corresponding to html tags, not to styles/CSS). You can then copy it back out as html and paste it and it will have exactly the right amount of formatting.

dumbo-octopus
0 replies
3d

Sometimes I agree, but recently I was trying to copy all the contents from one Quip to another and the system was entirely unable to support pasting the same look&feel I copied. No, I don’t want my headings and links and code and lists and…… to all be given back as plain ASCII. Drove me bonkers.

bobbylarrybobby
0 replies
1d14h

I use Obsidian for note taking, and discovered one very useful feature: if you paste formatted text, it removes everything except what can be handled in markdown (approximately, things corresponding to html tags, not to styles/CSS). You can then copy it back out as html and paste it and it will have exactly the right amount of formatting.

djbusby
8 replies
2d21h

On the subject of getting "private" data from the browser.

Somehow my Bank webapp was able to 2FA prompt me on sign-in with my hostname (aluminium). How did it get that? And when using their site from mobile it's able to see the text with the 2FA code and auto paste it in! Wow/How? Pixel+Chrome or Linux+Chrome.

echoangle
7 replies
2d19h

At least the 2FA Code probably is a Chrome feature, safari displays 2FA SMS text codes as a autocomplete suggestion and I could imagine that Chrome on Android just autofills it. For the hostname, it’s more difficult. Are you sure you never gave that info to the bank as a username or similar? What Bank is this?

djbusby
6 replies
2d19h

Institution for Savings. They use an app/webapp built by a third party that covers loads of small banks.

echoangle
5 replies
2d19h

And where exactly does it show your hostname there? And are you sure you never used it as an account name or something like that? I can’t imagine they can access the hostname from JS.

djbusby
4 replies
2d16h

Yea, first time I hit their site from this machine. And the alert showed on my mobile phone - "allow aluminium?"

One of these days I'm gonna log in with the debugger active.

gary_0
2 replies
2d4h

One possible answer: if the phone app is a native app, it could be listening on a HTTP port and sending the phone's network information to the webserver, which then tells the webapp to ping the phone app, and then the phone uses reverse-mDNS to get the hostname.

I'm not sure why they would go to the trouble of getting the web app to talk to the phone app directly, but it is possible.

djbusby
1 replies
2d3h

I'm logging in on a laptop and getting notifications on my mobile that contains my laptop hostname.

I don't have any banking app installed on either device.

It's confounding.

gary_0
0 replies
2d3h

Weird. What kind of notification? SMS, email, Web Push notification?

pests
0 replies
2d13h

There really isn't a way to get a hostname from javascript in a non-modified browser.

weejewel
7 replies
2d21h

Years ago when I was a student, and JavaScript could get a user’s clipboard without their consent, I made a website ‘getpasted’ that automatically pasted and posted your clipboard to a public database.

Needless to say, some people weren’t happy about it. But it was a nice project to create awareness that it was possible to read the clipboard at any time.

RajT88
6 replies
2d18h

Wait until people find out that by default on Windows 11 all of your clipboard data gets sent to a Microsoft server via Clipboard History / Cloud Clipboard.

cj
2 replies
2d16h

Is Apple’s version of this any better? Clipboard is synced between phone/computers logged into iCloud although it doesn’t log history (at least visibly)

knallfrosch
0 replies
2d8h

Since it is also end-to-end encrypted, an architecture involving Apple server wouldn't reveal the contents either.

ygra
1 replies
2d10h

Clipboard history and sync across devices are both disabled by default, as far as I'm aware.

RajT88
0 replies
2d6h

Hmmm. My work machine had them on, but I suppose that could have been set by policy. I will check my Aya Neo later (only personal Win11 device).

cedws
0 replies
1d13h

Even when not signed in with a Microsoft account?

aumerle
5 replies
2d12h

This article is a perfect illustration of why Webapps will never be as good as native ones. Webapps are always "untrusted" code so they are arbitrarily and artificially restricted from accessing resources on your local machine.

goblin89
4 replies
2d10h

Untrusted by default is a feature. No user would be able to protect themselves, unless perhaps they are a highly trained security expert always on alert, which is not a thing.

This is not the exciting early days of the interwebz where script kiddies run amok and it’s mostly for the geeks anymore, it’s where government-affiliated gangs are launching ransomware attacks on critical infrastructure in order to finance nuclear programs. Accessing arbitrary resources on your local machine is how that happens.

Web apps, given a modern browser, naturally have stricter sandboxing, but native apps are treated as untrusted on any modern OS, too. If I launch anything new, the dialog will have me confirm before it accesses anything other than its isolated app data directory.

aumerle
3 replies
2d9h

I dont run a single native application across five operating systems that requires a popup nag to access the clipboard or that is unable to put any data other than text, html and PNG on the clipboard.

goblin89
2 replies
2d6h

Every mobile OS from Apple would show a popup if an app tried to access clipboard without your explicit pasting. Obviously, if you tapped “paste” then popup would be unnecessary since you would be approving your own action, not app’s action.

It is somewhat crazy that macOS doesn’t do that yet.

But the comment I replied to was talking in general terms. Yes, for some APIs native apps are for now more trusted than Web apps, depending on the OS, but the trend is that they are becoming less and less trusted.

aumerle
1 replies
1d15h

If you mean mobile OSes sure, I can agree with you they are becoming worse with time. OSes for real computers, not so much.

goblin89
0 replies
1d12h

I mean all consumer operating systems, and they are becoming better unless you stick to old and vulnerable versions.

Terretta
2 replies
3d3h

Particularly good combination of scope (including differences across systems and browsers) and depth (including both gotchas and workarounds).

alexharri
1 replies
3d2h

Thanks! I've been trying to limit excessive detail and tangents in my writing (my posts tend to be on the longer side). Great to hear I managed to strike a good balance here.

qingcharles
0 replies
2d16h

This was easily the greatest article ever written on the web clipboard interfaces.

I didn't even know about isTrusted until a couple of weeks ago when I was writing some widgets to speed up some tasks by automating a bunch of web controls. I couldn't get my auto-paste to work, discovered that flag and went down a rabbit hole of trying to over-ride a safety mechanism on my own local browser (not easy!).

threecheese
1 replies
2d21h

Excellent read, thank you. Just wanted to note that the author of Pasteboard Manager[0], Sindre Sorhus, is also the maker of Actions[1] shortcut library as well as other cool iPhone and Mac apps. Not sure if he is on HN.

  - 0. https://apps.apple.com/us/app/pasteboard-viewer/id1499215709
  - 1. https://apps.apple.com/us/app/actions/id1586435171

shatsky
1 replies
1d20h

It's sad that there's no support for lossy compressed images. People copypaste images a lot without intention to change them, and each time it's JPEG source the compression is lost but artifacts are preserved, and more artifacts are added upon repeated JPEG compression, which happens immediately with most target web apps. https://xkcd.com/1683/

bobbylarrybobby
0 replies
1d14h

Wait, is this why when I `right click > copy` an image in safari and paste into messages, it gets turned into a png?

visarga
0 replies
2d3h

Off topic: I often find that copy&paste doesn't work. I clearly hit copy, when I paste nothing happens, or I get the previous copy instead. Not sure why this happens, I see it both on Macs and Ubunutu. As if, after decades of work, we still can't reliably implement a simple operation. It happens both in browsers and other apps.

kfarr
0 replies
3d

My takeaway is the most reliable way to send custom app data over clipboard is using data embedded in HTML a la figma. Bonus is that method lets you define failure behavior via html message if receiving app doesn’t support

ggm
0 replies
2d17h

Wordpress stuffs around with this. Cut-pasting across multiple paragraphs in editor mode can go horribly wrong (copying wordpress words into another web system for cross-pollinating the textual dependencies over "there") -Presumably because the paragraphs are actually different regions under different DIV logic and under different control-effect outcomes?

Another game I find the machine plays on me, is uplifting what I think is ASCII into UTF-8 or iso-latin1 which latterly invokes the clippy-like "I changed those quotes to be more aesthetic thank me later" behaviour which of course, I did NOT want. If I wanted `this' I would not have typed 'this'

fitsumbelay
0 replies
3d

very illuminating and idea-provoking deep dive. thanks.

fitsumbelay
0 replies
2d23h

btw, what was the Chrome extension you were prompted about on your macbook?

cr125rider
0 replies
3d1h

This was awesome. Thanks!

A really nice deep enough dive into some of that nuance.