[itsananderson]

True, if an attacker has control of your device you are probably screwed anyway, but there are still different degrees of screwed. There are more and less privileged portions of your system, and keeping sensitive data to less secure areas is still not a great idea. With browsers offering clipboard access as a JavaScript API, it is definitely an area I would consider less well secured than, say, read protected memory or a process-isolated browser extension sandbox.

[emodendroket]

Fair point, but I don't think you can _read_ the contents of the system clipboard, can you? I thought you could set it but had to wait for a paste event to read it.

[itsananderson]

It requires a permission request, but yes there's a browser API to read the clipboard contents https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/r...

[partido3619463]

On iOS and Mac the clipboard is readable to all apps without interaction. (Eg slack allows login on Mac desktop by copy/pasting text from the browser. Chrome on iOS will auto paste from clipboard to show a target url)