惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Check Point Blog
Jina AI
Jina AI
H
Heimdal Security Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
B
Blog
美团技术团队
W
WeLiveSecurity
G
Google Developers Blog
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Visual Studio Blog
T
Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cyberwarzone
Cyberwarzone
Apple Machine Learning Research
Apple Machine Learning Research
P
Privacy & Cybersecurity Law Blog
H
Hacker News: Front Page
博客园 - 【当耐特】
人人都是产品经理
人人都是产品经理
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
V
Vulnerabilities – Threatpost
AI
AI
MongoDB | Blog
MongoDB | Blog
Project Zero
Project Zero
Hacker News: Ask HN
Hacker News: Ask HN
量子位
A
Arctic Wolf
GbyAI
GbyAI
Recorded Future
Recorded Future
SecWiki News
SecWiki News
小众软件
小众软件
Martin Fowler
Martin Fowler

Daring Fireball

Anthropic's Safety Superpower Kennedy Center removes Trump’s name from building — The Washington Post Private Cloud Compute - Apple Developer Statement on the US government directive to suspend access to Fable 5 and Mythos 5 Every Frame Perfect The Talk Show: Live From WWDC 2026 What is the true story behind Apple’s decision not to roll out "Siri AI" in the EU? This decision is Apple’s and Apple’s only. Because absolutely nothing in the DMA prohibits Apple from rolling out… | Thomas REGNIER | 111 条评论 Due to DMA, Siri AI delayed in EU for iOS 27 and iPadOS 27 Steven Spielberg Answers YOUR Questions Sweet Jeebus, MacOS 27 Golden Gate Removes the Dumb Icons From Menu Items WWDC26 — The Small Things - Oneberri Blog Apple WWDC 2026 June 8: Introducing Siri AI and more Apple’s App Store rolls out personalized recommendations Unlock Autonomous AI Agents with auth.md, Michael Grinich | MCP Night: Agent Mode Keynote From the Annals of People Having Knowledge of the Matter, Siri AI Extensions Edition Apple’s WWDC AI demos looked more real after $250M false ad settlement Craig Federighi details Apple’s collaboration with Google for Siri AI in iOS 27 SwiftUI Only Makes It Easy to Develop Bad Apps 60 Minutes Correspondents Lesley Stahl, Bill Whitaker, and the Other Guy Will Stay at Show Trump Can Tear Down Statue of Liberty, Says Trump Lawyer Nieman Journalism Lab: Twitter/X Punishes Accounts That Post Links Regarding Those Rumors of Apple Pursuing an Acquisition of Perplexity ‘The Insider’ Lingon - Peter Borg Apps Chrome is Bad Gemini for macOS - your native AI desktop app Nick Bilton Shits the Bed With Pseudoscience-Laden ‘Could Wearable Computers Be as Harmful as Cigarettes?’ New York Times Column Nick Bilton on an Apple Television Set: ‘It’s Not a Matter of if, It’s a Matter of When.’ Instagram 用户 Scott Pelley Road to WWDC 2026: What’s a developer? Sorry - Not Allowed How People With Meta Glasses Can Secretly Record You Microsoft and OpenAI broke up — now they’re ready to fight CBS Fires Scott Pelley After Pelley Tries Very Hard to Get Fired CBS News Fires Scott Pelley of ‘60 Minutes’ Meta Reportedly Has a Slew of New Smart Glasses Planned for This Year Meta Says Fuck That Metaverse Shit ‘The Metaverse Fever Dream’ Scott Pelley Accuses CBS News Boss of ‘Murdering’ ‘60 Minutes’ Of all the dickovers, the dickover that blueballs you with some first-time buyer incentive. “Sign up and get 10% discount, new accounts only”, the dickover boasts. Never understood why you’d ever penalize returning customers with a dickover, blue-balling them with 10% off teaser Video API for developers | Mux Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked The Talk Show Live From WWDC 2026 exe.dev - ssh exe.dev Take Two Apple introduces Siri AI, a profoundly more capable and personal assistant Apple Intelligence brings powerful AI capabilities into everyday experiences What Apple Knows About AI That Silicon Valley Won't Admit Daniel Jalkut on AI - YouTube What Is a Dickover? If You Take the Weasel Job Then You Must Be the Weasel Who’s Deranged, Exactly? Websites have a new way to spy on visitors: Analyzing their SSD activity Meta launches Instagram, Facebook, and WhatsApp subscriptions, with more to come, including AI plans Halide Mark III We Are Living in Pinocchio’s World Jay Haynes: ‘Apple’s $3 Trillion Valuation’ Thieves Are Texting Threats to Victims of iPhone Theft in London Pipes – WorkOS Docs MLS Wrap-Up⁩, 05/24/26 - Watch the Highlights Why Steve Kerr Stayed With the Warriors Trump Mobile investigating potential exposure of would-be customers’ personal information The Fonts of the U.S. Federal Courts The Ninth Circuit Appeal Ruling in ‘Epic v. Apple’ That Apple Is Seeking to Overturn at the Supreme Court (PDF) Zero Sum Problems Stephen Colbert’s ‘The Late Show’ Finale Apple TV to air first major live pro sports event shot on iPhone 17 Pro Apple seeks Supreme Court review of contempt finding and injunction scope in Epic Games case BBEdit 16 is here! | Bare Bones Software x.com WSJ: ‘Google Unveils New Gemini AI Agent for Personal Tasks’ NYT: ‘Powered by A.I., Google Changes Its Search Box for the First Time in 25 Years’ www.tiktok.com The Metaverse Fever Dream The 13 biggest announcements at Google I/O 2026 x.com Apple Sports expands to more than 90 new countries and regions Jury Rejects Elon Musk’s Claim Against Sam Altman in Unanimous Verdict Define ‘Boom’ Please - YouTube Drata AI Is Technology, Not a Product Greg Brockman Officially Takes Control of OpenAI’s Products in Latest Shakeup ArXiv to Ban Researchers for a Year if They Submit AI Slop Americans Oppose AI Data Centers in Their Area Nextpad++ Santa Clara County sues Meta over alleged scam ads Software as the Product of Obsession Times Voice Why Reddit blocked my daily visit to its mobile website Y Combinator’s Stake in OpenAI Geography is four-dimensional | Derek Sivers Amazon made AI podcasts for products. Civilization had a good run. EU tells Google to open up AI on Android; Google says that's "unwarranted intervention" John Appleseed Social media is turning into a freak show AI, "Humanity", and Dr. Manhattan Syndrome The Hilarious History of 'OK' Three Ways to Get Paid Alaska Permanent Fund
WebKit always enables the Copy menu item in every app
John Gruber · 2026-06-25 · via Daring Fireball
Jeff Johnson (My apps, PayPal.Me, Mastodon)

June 24 2026

WebKit, to quote its website, “is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.” Obviously, Safari uses WebKit to display web pages, but did you know that Mail app uses WebKit to display email messages? This is true not just for HTML emails but also for plain text format emails. There are a couple of ways to reveal the presence of WebKit in Mail, both of which may be bugs. If you disable “Auto-play animated images” in the Accessibility pane of System Settings, then when you open the contextual menu in a Mail app message or in a Safari web page, you’ll see the “Play All Animations” contextual menu item. In Mail, “Play All Animations” is the only item in the menu, suggesting to me that Apple engineers did not expect a contextual menu there. This behavior occurs on macOS Sequoia, at least; I haven’t yet tested Mail on Tahoe, because I’m avoiding that update, due to Liquid Glass.

The second way to see WebKit in Mail app is mentioned in the title of this blog post. Several weeks ago, John Gruber of Daring Fireball asked me whether I could reproduce an issue he was seeing in Safari: when a web page is focused, the Copy menu item in the main menu is always enabled, regardless of whether there’s anything selected in the web page. I could indeed reproduce that issue, and it turns out to be the fault of WebKit. The issue also occurs in Mail app, when an email message is focused.

On Apple platforms, WebKit is a public API, used by third-party apps in addition to Apple’s first-party apps. RSS readers such as NetNewsWire and Vienna, preferred by Gruber and myself, respectively, use WebKit to display articles from RSS feeds. And sure enough, both apps exhibit the same issue: the Copy menu item is always enabled when an article is focused.

What happens if you copy and paste from a WebKit WebView with no selection? Nothing happens, nothing is pasted. However, technically speaking, the clipboard is not empty.

Clipboard Viewer General Clipboard

The Clipboard Viewer app, pictured above, is included in the Additional Tools for Xcode, which can be downloaded from the Apple Developer website. The com.apple.webarchive and “Apple Web Archive pasteboard type” items in the above list are identical binary property lists (indicated by the prefix bplist). Here’s the plist transformed into XML:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>WebMainResource</key>
	<dict>
		<key>WebResourceData</key>
		<data>
		PCFET0NUWVBFIGh0bWw+
		</data>
		<key>WebResourceFrameName</key>
		<string></string>
		<key>WebResourceMIMEType</key>
		<string>text/html</string>
		<key>WebResourceTextEncodingName</key>
		<string>UTF-8</string>
		<key>WebResourceURL</key>
		<string>https://daringfireball.net/</string>
	</dict>
</dict>
</plist>

When you copy from a web page in Safari with no selection in the page, you get a representation of the page that includes the page URL, as well as some (useless) data in Base64 format:

% echo 'PCFET0NUWVBFIGh0bWw+' | base64 -d
<!DOCTYPE html>

Unfortunately, no other app seems to understand this web archive pasteboard type. The com.apple.WebKit.custom-pasteboard-data item also includes the web page URL wrapped in some weird format that no other app seems to understand. The other pasteboard types in the list are actually empty, with zero bytes of data. Thus, when you paste, you get nothing.

Copying from an email message in Mail app generates similar clipboard contents:

Clipboard Viewer General Clipboard

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>WebMainResource</key>
	<dict>
		<key>WebResourceData</key>
		<data>
		</data>
		<key>WebResourceFrameName</key>
		<string></string>
		<key>WebResourceMIMEType</key>
		<string>text/html</string>
		<key>WebResourceTextEncodingName</key>
		<string>UTF-8</string>
		<key>WebResourceURL</key>
		<string>x-webdoc://48BE32AC-8EEF-4630-8C5E-BC292F17A707</string>
	</dict>
</dict>
</plist>

In this case there’s no resource data, and the page URL with an x-webdoc scheme is seemingly useless and can’t be opened:

% open 'x-webdoc://48BE32AC-8EEF-4630-8C5E-BC292F17A707'
No application knows how to open URL x-webdoc://48BE32AC-8EEF-4630-8C5E-BC292F17A707 (Error Domain=NSOSStatusErrorDomain Code=-10814 "kLSApplicationNotFoundErr: E.g. no application claims the file" UserInfo={_LSLine=1796, _LSFunction=runEvaluator}).

Needless to say, none of this is an expected or a good user experience. Since I frequently file WebKit bug reports, I decided to file a bug report on behalf of Gruber: Copy main menu item is enabled with no selection in the web page. I subsequently learned that the first appearance of the bug was January 2025 in the WebKit source code, February 2025 in Safari Technology Preview 213, and March 2025 in Safari 18.4, as a result of attempting to fix another bug, document.execCommand("copy") only triggers if there is a selection, reported in 2016, nine years prior!

I’ve blogged about document.execCommand("copy") before: Web pages can overwrite your system clipboard without your knowledge. In that blog post I described how web pages can exploit a seemingly innocuous user gesture to overwrite the system clipboard. My web browser extension StopTheMadness Pro can now prevent this via the website option “Protect clipboard write.” Of course the document.execCommand("copy") API was not designed to be malicious, and there are prominent, legitimate use cases such as the Copy button in the YouTube Share popup. Below is a demonstration, a button that when clicked writes “This is a test” to your clipboard.

The YouTube Share button and similar controls, for example “Copy link” on Twitter/X tweets, ought to work without a text selection on the web page. That was the bug reported back in 2016 and fixed in 2025. Nonetheless, the Copy menu item in the main menu of an app should not be enabled if there’s no selection. That is the bug I recently reported. The two cases are distinct: one is on the web, the other is native to the Mac; one is implemented in JavaScript, the other implemented in Objective-C or Swift. Web pages and Mac apps have different rules and conventions. Moreover, it’s crucial to recognize that the Copy menu item in the Safari main menu does not call document.execCommand("copy"), not even when the YouTube Share popup is displayed. Unlike the HTML Copy button, the Safari native Copy menu item generates useless web archive clipboard contents, due to the bug I reported.

Sadly, my bug report was closed with the resolution “won’t fix.” The refusal appears to be based on a misunderstanding:

The point of https://commits.webkit.org/288559@main is to enable copy regardless of the selection state. Either copying is enabled or not. We can't have it both ways.

This rigid response should cause your Spidey-Sense to tingle! Doesn’t the statement sound very much like a false dichotomy? We actually can have it both ways. As a longtime Mac developer, I’m quite familiar with how an app’s main menu items are enabled and disabled. (Other Mac developers may be familiar with my “working without a nib” series of blog posts explaining how to construct the menu programmatically.) Typically, the state of the menu items is governed by the validateMenuItem: AppKit method. Nothing would prevent WebKit from handling the native validateMenuItem: and the JavaScript document.execCommand("copy") differently, using slightly different algorithms for each case. There’s no good reason why the special workaround for JavaScript execCommand has to leak into the native main menu of Mac apps.

I reopened my bug report and argued my case, but given the initial response, I fear that the report may continue to be treated dismissively. This is why I’m blogging about the bug, to raise awareness and hopefully bring public pressure. It always sucks when Apple engineers convince themselves that a bug is a feature.

Jeff Johnson (My apps, PayPal.Me, Mastodon)