Usually system clipboard access is restricted in clipboard events like
onpaste. However I found that you can set the system clipboard in any context (e.g. a timer event).
This can be achieved by adding an
IFrame containing a text input element into the document, and turning its design-mode / content-editable on. The
execCommand will then become available via the added
IFrame document. So to copy text to the system clipboard, you set the text input’s value (in the
IFrame) to the text to be copied, then you select and focus the text input control, and finally issue a execCommand(“copy”) on the
Click here for a demo, this has an example with malicious intent: where it hijacks the system clipboard by constantly setting its content to a malicious URL (note it does not harm your computer and it ends when you close the page). Extra efforts can be made to avoid scrolling issues when focusing/selection the text input by using absolute floats. The example also is triggered via a mouse click – a malicious script would probably start the copying as soon as it’s loaded.
I’m not sure if the developers of Webkit would consider this a security hole or not. I have tested it on Safari 3 (Windows and Mac) and Chrome 2 (in which it works). I have reported it to them.