219020 2020-11-16 21:33:01 -0800 navigator.clipboard is not exposed on *.localhost pages 2021-03-08 16:59:26 -0800 1 1 1 Unclassified WebKit DOM Safari 14 Mac macOS 10.14 RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=222861 https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-origin InRadar P2 Major --- 1 spamfaenger cdumez achristensen ap cdumez darin ggaren rniwa sam spamfaenger thorton webkit-bug-importer wenson_hsieh youennf oldest_to_newest 1708117 0 spamfaenger 2020-11-16 21:33:01 -0800 navigator.clipboard and with it navigator.clipboard.writeText is gone from Safari Version 14.0.1 (15610.2.11.51.10, 15610) as well as from Technology Preview Release 115 (Safari 14.1, WebKit 15611.1.3.5). I am pretty sure it was there at least in Safari 13, and also seems to be listed as supported on https://webkit.org/status/#?search=clip as well as on https://caniuse.com/mdn-api_clipboard_writetext (which is why I am using it). Not sure how this could slip by? 1708118 1 spamfaenger 2020-11-16 21:33:16 -0800 Might be related to https://bugs.webkit.org/show_bug.cgi?id=206653 1708128 2 ap 2020-11-16 22:24:55 -0800 I'm on exactly the same build right now, and javascript:alert(navigator.clipboard) on this Bugzilla page shows it just fine, and so does Web Inspector console. Could you please elaborate? A rogue extension perhaps? 1708143 3 spamfaenger 2020-11-17 00:05:11 -0800 This was tested with all extensions disabled. I am indeed stumped. The property is available on this bugzilla, but not in the webpage I'm working when I'm serving them on subdomains of localhost, like yeepa.localhost:8080, while it is available again no localhost:8080. ¿¿¿ Is there anything special about subdomains of localhost so this is supposed to happen there? 1708435 4 ap 2020-11-17 16:45:43 -0800 Probably something about what's considered a secure context. CC'ing some people who would know more about recent changes there. 1708437 5 cdumez 2020-11-17 16:48:15 -0800 (In reply to Alexey Proskuryakov from comment #4) > Probably something about what's considered a secure context. CC'ing some > people who would know more about recent changes there. Ever since navigator.clipboard was introduced in r250824, it was only exposed to secure contexts AFAICT. 1708438 6 rniwa 2020-11-17 16:48:36 -0800 Async clipboard API is only available on HTTPS pages. 1708444 7 cdumez 2020-11-17 16:51:29 -0800 (In reply to Ryosuke Niwa from comment #6) > Async clipboard API is only available on HTTPS pages. or localhost or 127.0.0.1. Subdomains of localhost are probably not treated as secure. Looking at our code, the host needs to be exactly "localhost" or "127.0.0.1" to be treated as secure, unless the protocol is HTTPS. 1708449 8 cdumez 2020-11-17 17:07:34 -0800 Spec is here: https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-origin It does say that "*.localhost" is secure so we do have a bug indeed. This is not a recent regression AFAIK though. 1708605 9 414451 cdumez 2020-11-18 07:57:42 -0800 Created attachment 414451 Patch 1708620 10 ews-feeder 2020-11-18 08:39:43 -0800 Committed r269960: <https://trac.webkit.org/changeset/269960> All reviewed patches have been landed. Closing bug and clearing flags on attachment 414451. 1708621 11 webkit-bug-importer 2020-11-18 08:40:16 -0800 <rdar://problem/71540839> 1708694 12 414451 darin 2020-11-18 11:49:17 -0800 Comment on attachment 414451 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=414451&action=review > Source/WebCore/page/SecurityOrigin.cpp:608 > + if (equalLettersIgnoringASCIICase(host, "localhost") || host.endsWithIgnoringASCIICase(".localhost")) Funny and arbitrary that we don’t have endsWithLettersIgnoringASCIICase. It’s just never been added, since we do have startsWithLettersIgnoringASCIICase. 414451 2020-11-18 07:57:42 -0800 2020-11-18 08:39:44 -0800 Patch bug-219020-20201118075741.patch text/plain 4278 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjY5OTU1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNmQ0ODcyNTgwNDE4YTlm NmQzNzJkODk4NzNmZDM1NjBiMDMwNjU4My4uYTc1Njk1ODBjNTBiNzU5NWVlODUxYzFlNzczZDgx MjNmYWZiZGZiYiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIwIEBACisyMDIwLTExLTE4ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgbmF2aWdhdG9yLmNsaXBib2Fy ZCBpcyBub3QgZXhwb3NlZCBvbiAqLmxvY2FsaG9zdCBwYWdlcworICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjE5MDIwCisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTWFrZSBzdXJlIHRoYXQgaWYgdGhlIGhvc3Qg ZmFsbHMgd2l0aGluICIubG9jYWxob3N0IiwgdGhlIHNlY3VyaXR5IG9yaWdpbiBpcyB0cmVhdGVk IGFzCisgICAgICAgIHBvdGVudGlhbGx5IHRydXN0d29ydGh5LCBhcyBwZXI6CisgICAgICAgIC0g aHR0cHM6Ly93M2MuZ2l0aHViLmlvL3dlYmFwcHNlYy1zZWN1cmUtY29udGV4dHMvI2lzLW9yaWdp bi10cnVzdHdvcnRoeSAoU3RlcCA1KS4KKworICAgICAgICBUaGlzIG1ha2VzIHN1cmUgdGhhdCBB UEkgdGhhdCBhcmUgZXhwb3NlZCBvbmx5IHRvIHNlY3VyZSBjb250ZXh0IChzdWNoIGFzIG5hdmln YXRvci5jbGlwYm9hZCkKKyAgICAgICAgYXJlIGV4cG9zZWQgb24gc3ViZG9tYWlucyBvZiBsb2Nh bGhvc3QuCisKKyAgICAgICAgKiBwYWdlL1NlY3VyaXR5T3JpZ2luLmNwcDoKKyAgICAgICAgKFdl YkNvcmU6OlNlY3VyaXR5T3JpZ2luOjppc0xvY2FsSG9zdE9yTG9vcGJhY2tJUEFkZHJlc3MpOgor CiAyMDIwLTExLTE4ICBNaWNoYWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AZ25vbWUub3JnPgog CiAgICAgICAgIFtXUEVdW0dUS10gVXBkYXRlIE91dGxvb2sgdXNlciBhZ2VudCBxdWlyawpkaWZm IC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGFnZS9TZWN1cml0eU9yaWdpbi5jcHAgYi9Tb3VyY2Uv V2ViQ29yZS9wYWdlL1NlY3VyaXR5T3JpZ2luLmNwcAppbmRleCA3NDcxNjQ1Y2YyNWJhMDk4YWZk MTVhMDc5YWJjY2EyNDBkNGYwYzlhLi43ZWMwYzQ1YzJmOWIzNzFmMmEzOWJmMTE2NDhhNzFkNTY2 NzdiNjgwIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wYWdlL1NlY3VyaXR5T3JpZ2luLmNw cAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wYWdlL1NlY3VyaXR5T3JpZ2luLmNwcApAQCAtNjA1LDcg KzYwNSw3IEBAIGJvb2wgU2VjdXJpdHlPcmlnaW46OmlzTG9jYWxIb3N0T3JMb29wYmFja0lQQWRk cmVzcyhTdHJpbmdWaWV3IGhvc3QpCiAgICAgICAgIHJldHVybiB0cnVlOwogCiAgICAgLy8gRklY TUU6IEVuc3VyZSB0aGF0IGxvY2FsaG9zdCByZXNvbHZlcyB0byB0aGUgbG9vcGJhY2sgYWRkcmVz cy4KLSAgICBpZiAoZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UoaG9zdCwgImxvY2FsaG9z dCIpKQorICAgIGlmIChlcXVhbExldHRlcnNJZ25vcmluZ0FTQ0lJQ2FzZShob3N0LCAibG9jYWxo b3N0IikgfHwgaG9zdC5lbmRzV2l0aElnbm9yaW5nQVNDSUlDYXNlKCIubG9jYWxob3N0IikpCiAg ICAgICAgIHJldHVybiB0cnVlOwogCiAgICAgcmV0dXJuIGZhbHNlOwpkaWZmIC0tZ2l0IGEvVG9v bHMvQ2hhbmdlTG9nIGIvVG9vbHMvQ2hhbmdlTG9nCmluZGV4IDQ0NWVkODJiNTcyZTc0NzNlNjJj ODdmMmU0ZTJmYzVmZjgyMjI3MjAuLjUyNTQ2MTgyZDIzYzUyYTQzN2IyNWE0ZGY1MWYyNTI2YmVl ZTFiNGQgMTAwNjQ0Ci0tLSBhL1Rvb2xzL0NoYW5nZUxvZworKysgYi9Ub29scy9DaGFuZ2VMb2cK QEAgLTEsMyArMSwxNSBAQAorMjAyMC0xMS0xOCAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBwbGUu Y29tPgorCisgICAgICAgIG5hdmlnYXRvci5jbGlwYm9hcmQgaXMgbm90IGV4cG9zZWQgb24gKi5s b2NhbGhvc3QgcGFnZXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTIxOTAyMAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisg ICAgICAgIEV4dGVuZCBBUEkgdGVzdCBjb3ZlcmFnZS4KKworICAgICAgICAqIFRlc3RXZWJLaXRB UEkvVGVzdHMvV2ViQ29yZS9TZWN1cml0eU9yaWdpbi5jcHA6CisgICAgICAgIChUZXN0V2ViS2l0 QVBJOjpURVNUX0YpOgorCiAyMDIwLTExLTE4ICBNaWNoYWVsIENhdGFuemFybyAgPG1jYXRhbnph cm9AZ25vbWUub3JnPgogCiAgICAgICAgIFtXUEVdW0dUS10gVXBkYXRlIE91dGxvb2sgdXNlciBh Z2VudCBxdWlyawpkaWZmIC0tZ2l0IGEvVG9vbHMvVGVzdFdlYktpdEFQSS9UZXN0cy9XZWJDb3Jl L1NlY3VyaXR5T3JpZ2luLmNwcCBiL1Rvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV2ViQ29yZS9T ZWN1cml0eU9yaWdpbi5jcHAKaW5kZXggYWUwM2JhOTk4MTNlNjhjNDk1NzJjMDBlYTA0YTA3MjQ3 MGExMDY0Ny4uNmVkNWMwYjUzOGZhZWY2MzJiODljNmQ5MzIyYzZiNjQzZDgzZTgxZCAxMDA2NDQK LS0tIGEvVG9vbHMvVGVzdFdlYktpdEFQSS9UZXN0cy9XZWJDb3JlL1NlY3VyaXR5T3JpZ2luLmNw cAorKysgYi9Ub29scy9UZXN0V2ViS2l0QVBJL1Rlc3RzL1dlYkNvcmUvU2VjdXJpdHlPcmlnaW4u Y3BwCkBAIC0xNTksOCArMTU5LDE1IEBAIFRFU1RfRihTZWN1cml0eU9yaWdpblRlc3QsIElzUG90 ZW50aWFsbHlUcnVzdHdvcnRoeSkKICAgICBFWFBFQ1RfVFJVRShTZWN1cml0eU9yaWdpbjo6Y3Jl YXRlRnJvbVN0cmluZygiaHR0cDovLzEyNy4wLjAuMiIpLT5pc1BvdGVudGlhbGx5VHJ1c3R3b3J0 aHkoKSk7CiAgICAgRVhQRUNUX1RSVUUoU2VjdXJpdHlPcmlnaW46OmNyZWF0ZUZyb21TdHJpbmco Imh0dHA6Ly8xMjcuMC4xLjEiKS0+aXNQb3RlbnRpYWxseVRydXN0d29ydGh5KCkpOwogICAgIEVY UEVDVF9UUlVFKFNlY3VyaXR5T3JpZ2luOjpjcmVhdGVGcm9tU3RyaW5nKCJodHRwOi8vMTI3LjEu MS4xIiktPmlzUG90ZW50aWFsbHlUcnVzdHdvcnRoeSgpKTsKKyAgICBFWFBFQ1RfVFJVRShTZWN1 cml0eU9yaWdpbjo6Y3JlYXRlRnJvbVN0cmluZygiaHR0cDovL2xvY2FsaG9zdDo4MDAwIiktPmlz UG90ZW50aWFsbHlUcnVzdHdvcnRoeSgpKTsKICAgICBFWFBFQ1RfVFJVRShTZWN1cml0eU9yaWdp bjo6Y3JlYXRlRnJvbVN0cmluZygiaHR0cDovL2xvY2FsaG9zdCIpLT5pc1BvdGVudGlhbGx5VHJ1 c3R3b3J0aHkoKSk7CiAgICAgRVhQRUNUX1RSVUUoU2VjdXJpdHlPcmlnaW46OmNyZWF0ZUZyb21T dHJpbmcoImh0dHA6Ly9sb0NBTGhvU1QiKS0+aXNQb3RlbnRpYWxseVRydXN0d29ydGh5KCkpOwor ICAgIEVYUEVDVF9UUlVFKFNlY3VyaXR5T3JpZ2luOjpjcmVhdGVGcm9tU3RyaW5nKCJodHRwOi8v Zm9vLmxvY2FsaG9zdCIpLT5pc1BvdGVudGlhbGx5VHJ1c3R3b3J0aHkoKSk7CisgICAgRVhQRUNU X1RSVUUoU2VjdXJpdHlPcmlnaW46OmNyZWF0ZUZyb21TdHJpbmcoImh0dHA6Ly9Gb28ubG9DYUxo T3NUIiktPmlzUG90ZW50aWFsbHlUcnVzdHdvcnRoeSgpKTsKKyAgICBFWFBFQ1RfVFJVRShTZWN1 cml0eU9yaWdpbjo6Y3JlYXRlRnJvbVN0cmluZygiaHR0cDovL2Zvby5sb2NhbGhvc3Q6ODAwMCIp LT5pc1BvdGVudGlhbGx5VHJ1c3R3b3J0aHkoKSk7CisgICAgRVhQRUNUX1RSVUUoU2VjdXJpdHlP cmlnaW46OmNyZWF0ZUZyb21TdHJpbmcoImh0dHA6Ly9mb28uYmFyLmxvY2FsaG9zdDo4MDAwIikt PmlzUG90ZW50aWFsbHlUcnVzdHdvcnRoeSgpKTsKKyAgICBFWFBFQ1RfRkFMU0UoU2VjdXJpdHlP cmlnaW46OmNyZWF0ZUZyb21TdHJpbmcoImh0dHA6Ly9sb2NhbGhvc3QuY29tIiktPmlzUG90ZW50 aWFsbHlUcnVzdHdvcnRoeSgpKTsKKyAgICBFWFBFQ1RfRkFMU0UoU2VjdXJpdHlPcmlnaW46OmNy ZWF0ZUZyb21TdHJpbmcoImh0dHA6Ly9mb28ubG9jYWxob3N0LmNvbSIpLT5pc1BvdGVudGlhbGx5 VHJ1c3R3b3J0aHkoKSk7CiAgICAgRVhQRUNUX1RSVUUoU2VjdXJpdHlPcmlnaW46OmNyZWF0ZUZy b21TdHJpbmcoImh0dHA6Ly9bOjoxXSIpLT5pc1BvdGVudGlhbGx5VHJ1c3R3b3J0aHkoKSk7CiAj aWYgUExBVEZPUk0oQ09DT0EpCiAgICAgRVhQRUNUX1RSVUUoU2VjdXJpdHlPcmlnaW46OmNyZWF0 ZUZyb21TdHJpbmcoImFwcGxld2ViZGF0YTphIiktPmlzUG90ZW50aWFsbHlUcnVzdHdvcnRoeSgp KTsK