Clipboard content is among the most sensitive data on a user's device — it regularly contains passwords copied from password managers, 2FA codes, API keys, banking account numbers, and confidential text. An extension that reads the clipboard automatically, periodically, or on page load captures this data without any user signal that the action is happening. CWE-200 covers unauthorized data exposure; GDPR Art. 5(1)(c) requires collection to be limited to what is necessary and tied to a specific purpose. Chrome Web Store policy requires clipboardRead access to be justified by core functionality — background clipboard monitoring is explicitly prohibited.
Medium because automatic clipboard access can silently capture passwords, 2FA codes, and API keys during routine use — the absence of a user trigger means collection happens without any awareness or opportunity to prevent it.
Ensure all clipboard reads are initiated by an explicit user gesture. Attach the read to a button click or keyboard shortcut, never to load or interval events:
document.getElementById('pasteButton').addEventListener('click', async () => {
try {
const text = await navigator.clipboard.readText();
processText(text);
} catch (err) {
console.error('Clipboard read failed:', err);
}
});
// NEVER do this:
// setInterval(() => navigator.clipboard.readText().then(log), 30000);
// window.addEventListener('load', () => navigator.clipboard.readText()...);
If you need to monitor clipboard for a specific feature, surface a dedicated UI control that the user must actively engage with each time.
ID: extension-data-privacy.storage-security.clipboard-action-only
Severity: medium
What to look for: If the extension requests clipboardRead or clipboardWrite permission, examine the code for when clipboard access happens. Check whether it's triggered only by user action (button click, keyboard shortcut, right-click context menu) or if it happens automatically (on load, periodically, etc.).
Pass criteria: Count all clipboard API calls (navigator.clipboard, document.execCommand('paste')) in the codebase. At least 100% of clipboard access must be triggered in response to explicit user action — click, keyboard shortcut, or deliberate paste command. Not triggered automatically or periodically. Report the count of clipboard access points even on pass.
Fail criteria: Clipboard is read automatically on extension load, periodically, or without explicit user confirmation. Clipboard data is logged or sent externally.
Skip (N/A) when: The extension does not request clipboardRead or clipboardWrite permission.
Detail on fail: Describe when clipboard access occurs. Example: "Background script reads clipboard every 30 seconds and logs contents to chrome.storage.local" or "Clipboard is read on extension install and sent to external server without user interaction."
Remediation: Only read clipboard in response to user action:
document.getElementById('pasteButton').addEventListener('click', () => {
navigator.clipboard.readText().then(text => {
// Use pasted text
});
});
// NOT:
// window.onload = () => navigator.clipboard.readText() ...