The Async Clipboard API lets websites read and write your clipboard with a single permission.
On many browsers, the write direction requires no permission at all — any page can silently
replace whatever you last copied. The read direction asks once, then remembers.
In 2019, researchers found that 250 of the Alexa top 1000 websites silently overwrote clipboard contents.
Some retail sites injected coupon codes so that users who pasted a product link into a price-comparison
tool got a modified URL instead. Malicious pages substitute cryptocurrency wallet addresses at paste time —
the victim copies a wallet address, pastes it, and sends funds to the attacker.
checking clipboard permission…
—characters
—content type
0silent writes
tap "read clipboard" — you'll see what you last copied
overwritten content (paste anywhere to verify):
api available—
read permission—
write permission—
clipboard items—
last read length—
▶ what can websites do with your clipboard?
Read access (clipboard-read permission): one dialog, then persists. Once granted, any script on that origin can read your clipboard silently in the background — no user gesture needed after the first time. Chrome's permission prompt says "See text and images copied to clipboard." Most people click Allow.
Write access (clipboard-write permission): in Chrome and Firefox, writing to clipboard requires no permission dialog at all — only a user gesture (click/key press). Any onclick handler can silently overwrite your clipboard.
document.execCommand('copy'): the old API, deprecated but still supported in all browsers. No permission required, only a user gesture. Scripts have used this to inject content during "Copy" button clicks for over a decade.
The attack surface: copy a crypto wallet address → website overwrites clipboard → you paste the attacker's address. Copy a login link → website overwrites with a phishing URL. This attack has been used in active malware.