allow clipboard-write (clipboard-read) does not work in certain scenario

1,836 views
Skip to first unread message

Della Brodsky

unread,
Apr 3, 2023, 1:02:10 PM4/3/23
to blink-dev

In

Controlling browser features with Permissions Policy - Chrome Developers

article, section

Combine headers with the iframe allow attribute

It is declared that

With Feature Policy, you could add the feature to a cross-origin frame by either adding the origin to the header origin list or adding an allow attribute to the iframe tag. With Permissions Policy, if you add a cross-origin frame to the origin list, the iframe tag for that origin must include the allow attribute. If the response does not contain a Permissions Policy header, the origin list is considered to have the default value of *. Adding the allow attribute to the iframe allows access to the feature.

 

Please find attached 3 scenarios:

expected_success

expected_failure

unexpected_failure

 

In all 3 scenarios we have the same final markup:

Host A holding iFrame from itself, which holds iFrame from host B.

Script from nested iFrame from host B performs clipboard API navigator.clipboard.writeText

 

In expected_success scenario both iFrames have

iFrame.setAttribute("allow", "clipboard-read; clipboard-write");

In expected_failure scenario only outer iFrame has

iFrame.setAttribute("allow", "clipboard-read; clipboard-write");

(and thus scenario fails)

The unexpected_failure scenario is a bit more complex, and that would be scenario in question.

In that scenario we have a form made on Host A with action pointing to Host B (clipboardAPIUsage.html), and submitted to iFarme, src of which is on host A (/emptyDocument.html). That is an outer iFrame, and it has iFrame.setAttribute("allow", "clipboard-read; clipboard-write");

 

Then clipboardAPIUsage.html has onClick btn function where iFrame with src = emptyhover.html is created (with iFrame.setAttribute("allow", "clipboard-read; clipboard-write");

 

And then we set the markup with document.write to that created iFrame – after its loading – which includes the call to clipboard API, and there it unexpectedly fails when called.

Please refer to the attached Word file for illustration of all three markups and consoles.

 

 

To reproduce:

As a prerequisite you need to have Node.js installed on your environment

  1. Unzip the attached folder
  2. Open cmd, cd to … \Permission_Policy\Server1 and run node server1.js command – it should start Server 1
  3. Open another instance of cmd, cd to … \Permission_Policy\Server1 and run node server2.js command – it should start Server 2
  4. Open Chrome
  5. To run an expected_success, insert http://localhost:8111/expected_success.html into the address bar and hit Enter; don’t open f12 at this stage
    1.  Click “Click me” button – “Copy” button will appear
    2.  Click “Copy” button
    3. Open f12, get to Console – no errors will be there
  6. To run an expected_failure, insert http://localhost:8111/expected_failure.html into the address bar and hit Enter; don’t open f12 at this stage
    1. Click “Click me” button – “Copy” button will appear
    2.  Click “Copy” button
    3. Open f12, get to Console – the below (expected) error will be there:

clipboardAPIUsage.html:1 Uncaught (in promise) DOMException: The Clipboard API has been blocked because of a permissions policy applied to the current document

  1. To run an unexpected_failure, insert http://localhost:8111/unexpected_failure.html into the address bar and hit Enter; don’t open f12 at this stage
    1. Click “Click me” button – “Copy” button will appear
    2.  Click “Copy” button
    3. Open f12, get to Console – the below (unexpected) error will be there:

clipboardAPIUsage.html:1 Uncaught (in promise) DOMException: The Clipboard API has been blocked because of a permissions policy applied to the current document

 

 

 

Markups and errors illustration.docx

Mike Taylor

unread,
Apr 3, 2023, 3:52:51 PM4/3/23
to Della Brodsky, blink-dev

Hi Della,

Thanks for the message. I would encourage you to file a bug at crbug.com/new with these details, so it can be triaged by the relevant team(s).

thanks,
Mike

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/09a1a74b-be38-4852-a889-df09e9042967n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages