Standardize Clipboard Source url, aka the URL from which the content has been copied from

[ragoulik]

Today when copy is performed from browsers (Ctrl/CMD+C or using writing using Clipboard APIs)
there is no standardized, cross-browser supported provenance metadata—such as the source URL

Instead today browsers are using different clipboard MIME types to capture this:
Chrome/Edge uses: Chromium Internal Source URL
While Firefox uses: text/x-moz-url-priv

Security applications on different platforms are using these MIME types today to check if content on clipboard originated from a known malicious/untrusted website.

I want to propose standardizing this. That is, write the provenance metadata - source url to lets say "sourceUrl"

[annevk]

It doesn't seem ideal for the end user that this ends up leaking in this way. Why would they want the target to know what website they were on?

[tanu18]

This behavior already exists today—browsers include provenance metadata (source URL) in the clipboard using vendor-specific MIME types like Chromium Internal Source URL or text/x-moz-url-priv, and sometimes even inside the HTML clipboard format as an optional SourceURL header.
Our proposal doesn’t introduce a new concept; it simply standardizes the name and format so it’s consistent across browsers. The standardized MIME type would not be exposed to web developers via Clipboard APIs—it’s intended for platform-level applications (e.g., security tools) to make informed decisions.
Standardization improves interoperability, reduces fragmentation, and provides clearer privacy guidelines without increasing exposure, since this mechanism already exists today.

[karlcow]

There are currently different mechanisms on the side of Safari.

For the contextual menu on an image there is

• Copy Image
• Copy Image Address

The URL in both cases, The URL is stored as

📄 TEXT/URI-LIST:
──────────────────────────────
Length: 123 characters
Content:
https://images.ctfassets.net/j05yk38inose/4ma9ptzE0KO1QndufTNJnL/c79c97449402e1a753bfa250aeb5fa3e/IMG_6468.JPG?w=1568&q=100

📄 TEXT/PLAIN:
──────────────────────────────
Length: 123 characters
Content:
https://images.ctfassets.net/j05yk38inose/4ma9ptzE0KO1QndufTNJnL/c79c97449402e1a753bfa250aeb5fa3e/IMG_6468.JPG?w=1568&q=100

The copy image contains two more representations in addition to the two previous ones as text/html containing the URL too
and the file content of the image.

[karlcow]

But in all cases that's not the source of the context.

[karlcow]

@tanu18 Could you give a code example where Firefox and Chrome share the provenance of the document. I haven't been able to find one on a normal webpage.

Here to see the Clipboard Data content.
https://codepen.io/webcompat/pen/WbwOPxe

[tanu18]

As mentioned in my previous comment, the proposal focuses on aligning existing practices rather than introducing a new mechanism. Browsers already include source URL provenance in clipboard data through vendor-specific formats, but these differ across implementations.

By standardizing the MIME type and naming convention, we aim to improve interoperability, reduce fragmentation, and provide clearer privacy guidance—while keeping the capability internal for platform-level tools, not exposed to web developers.

Attaching screenshots from the clipboard viewer.

I copied text using Ctrl + C from a webpage in both Chromium-based browsers and Firefox, and here are the observed results:

Chrome/Edge: Chromium Internal Source URL
Firefox: text/x-moz-url-priv

Currently, browsers use different MIME types to capture the source URL.
We propose standardizing this field name to something like sourceUrl for consistency across implementations.

[johanneswilm]

TPAC 2025:

Rohan
The proposal is to have a new MIME type whenever a site copies data to the clipboard
This origin information will help antivirus software
If the application is not trusted, if the app is not trusted, then it can help try and block malicious data that would have been transferred.
Antivirus software rely on these MIME types
The proposal is to standardize this URL to make it easier for this software to work.
Rakesh
What was the question?
I wanted to add a couple of thoughts
Standardizing this is also proposed by Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=1965323
Antivirus and antimalware software are using these
Chromium is writing to a different MIME type
I’m not sure if Safari is writing it or not
The motivation is to standardize this that way we are doing
This in general should help these applications
ClickFix attacks blog: https://textslashplain.com/2025/04/15/vibe-coding-for-security/
Johannes
The negative of this is that browsers would change this and then the antivirus software wouldn’t know about the new work
Smaug
This seems like we added this to firefox many years ago and not touched since.
Johannes
Is this a particular pain that there are different ones.
Rohan
Yes we were contacted by these software developers
Smaug
We need to standardize what this actually means, source origin
Where is that said and what the value actually is.
Johannes
Where should this land? What is actually proposed here.
Rohan
Probably in the editing spec somewhere
Smaug
In Firefox this is about the exec command would we need to support that case as well?
Johannes
So something in the exec command document and something in the async.
Does this have to go several places?
Smaug
Can it just be in once place?
This can be talking about a generic place to
Rohan
Even if you copy from the address bar, not just the content.
If you right click or control-c
Smaug
I think defining this is the clipboard spec, maybe that’s enough.
Rakesh
I think maybe we are ok with that.
Johannes
So general support from Firefox.
We don’t know what Safari is doing.
So we need a little bit more research on that, but not direct opposition so far.
And then we take this up on the next call
Rohan
And then we will come up with a new spec PR.
Xq
We need to nominate a new editor.
Johannes
Reads the current editors of the specs.
I got a message that Dan will be an editor for Edit Context, but also Requish.
Action: Rohan to submit a PR and update the editor’s list, add new editors and move names to former editor list

[ericlaw1979]

The Microsoft Defender team is very interested in this proposal.

There's some discussion here: https://textslashplain.com/2024/06/04/attack-techniques-trojaned-clipboard/#:~:text=Mark%20of%20the%20Web%20%E2%80%93%20Clipboard%20Edition%3F