[webkit-changes] [WebKit/WebKit] 257543: Pressing ⌘V pastes content twice in text fields on...

Wenson Hsieh noreply at github.com
Tue Oct 24 15:20:16 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2575438ca004115ca5cf1c3225c27a6312b7027d
      https://github.com/WebKit/WebKit/commit/2575438ca004115ca5cf1c3225c27a6312b7027d
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-10-24 (Tue, 24 Oct 2023)

  Changed paths:
    M Source/WebCore/dom/UserGestureIndicator.cpp
    M Source/WebCore/dom/UserGestureIndicator.h
    M Source/WebCore/page/EventHandler.cpp
    M Source/WebCore/page/LocalFrame.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Pressing ⌘V pastes content twice in text fields on Tableau analytics dashboard
https://bugs.webkit.org/show_bug.cgi?id=263590
rdar://105750465

Reviewed by Ryosuke Niwa.

In Tableau's analytics tool, pressing ⌘V to paste in any focused editable areas pastes content
twice after showing a Paste menu item, if the user clicks "Paste" on this item. This is because
Tableau's script does something akin to the following:

```
textField.addEventListener("keydown", event => {
    if (event.key === "v" && event.metaKey)
        document.execCommand("Paste");
});
```

...which triggers a programmatic paste upon `keydown`, without preventing default. This means that
if the programmatic DOM paste is accepted, we'll end up triggering two paste commands: (1) due to
the `execCommand`, and (2) due to the default behavior of ⌘V.

While this is ostensibly a website bug, it works fine in other browsers (Firefox, Chrome) because
they don't support DOM paste at all, so we just end up silently failing the programmatic paste
before performing the real paste.

For now, fix this by adding a quirk for Tableau's analytics page which disables DOM paste access
triggered by key events. Making this a quirk limits risk in the short term, since it's possible that
there are other web apps and frameworks that already assume (based on user agent/engine checks) that
Safari/WebKit will show DOM paste prompts on key events.

* Source/WebCore/dom/UserGestureIndicator.cpp:
(WebCore::UserGestureToken::UserGestureToken):
(WebCore::UserGestureIndicator::UserGestureIndicator):
* Source/WebCore/dom/UserGestureIndicator.h:

Add a new enum flag to determine whether or not we should allow DOM paste requests under the user
gesture token.

(WebCore::UserGestureToken::create):
(WebCore::UserGestureToken::canRequestDOMPaste const):
* Source/WebCore/page/EventHandler.cpp:
(WebCore::EventHandler::internalKeyEvent):

Pass in `CanRequestDOMPaste::No` if the quirk is enabled.

* Source/WebCore/page/LocalFrame.cpp:
(WebCore::LocalFrame::requestDOMPasteAccess):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::needsDisableDOMPasteAccessQuirk const):

Add the quirk; check `window.tableauPrep` instead of a domain, to fix other (non-Apple-internal)
Tableau instances which would also encounter this same issue.

* Source/WebCore/page/Quirks.h:

Canonical link: https://commits.webkit.org/269736@main

More information about the webkit-changes mailing list