Support cross domain/application copy/paste

[AustinMroz]

Browsers place very heavy restrictions on what can be copied and pasted. See:

• https://alexharri.com/blog/clipboard
• https://www.w3.org/TR/clipboard-apis/#mandatory-data-types-x

Further thoughts and TODO

• Should the local storage of copied nodes be removed entirely?
  • It's unlikely a person would want to paste nodes from several days back, but having multiple items in the clipboard may be desirable. Should "copy node -> copy text -> paste text -> paste node" be possible?
• Need to add extra safety to the checks instead of a try/catch block

┆Issue is synchronized with this Notion page by Unito

[github-actions]

🎨 Storybook Build Status

✅ Build completed successfully!

⏰ Completed at: 10/18/2025, 10:44:53 PM UTC

🔗 Links

• 📊 View Workflow Run
• 🎨 View Storybook

---

🎉 Your Storybook is ready for review!

[github-actions]

🎭 Playwright Test Results

⚠️ Tests passed with flaky tests

⏰ Completed at: 10/18/2025, 10:58:15 PM UTC

📈 Summary

• Total Tests: 500
• Passed: 468 ✅
• Failed: 0
• Flaky: 1 ⚠️
• Skipped: 31 ⏭️

📊 Test Reports by Browser

• ✅ chromium: View Report • ✅ 459 / ❌ 0 / ⚠️ 1 / ⏭️ 31
• ✅ chromium-2x: View Report • ✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ chromium-0.5x: View Report • ✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0
• ✅ mobile-chrome: View Report • ✅ 6 / ❌ 0 / ⚠️ 0 / ⏭️ 0

---

🎉 Click on the links above to view detailed test results for each browser configuration.

[github-actions]

Bundle Size Report

App Entry Points

Main application bundles

File	Size	Gzip	Brotli
assets/index-BXUorp66.js	2.02 MB	381 kB	296 kB
assets/index-CuLZTtAC.js
assets/index-DD5DcWuJ.js	9.67 MB	1.99 MB	1.43 MB
assets/index-E0kYOj1H.js
assets/index-PESgPnbc.js	507 B	292 B	249 B

Category Total: 11.7 MB

Core Views

Major application views and screens

File	Size	Gzip	Brotli
assets/GraphView-BLQk4ujW.js
assets/GraphView-Dl5ZtXfw.js	714 kB	139 kB	108 kB
assets/UserSelectView-CmOLExxE.js	7.99 kB	2.39 kB	2.1 kB
assets/UserSelectView-Kp6GcnoT.js

Category Total: 722 kB

UI Panels

Settings and configuration panels

File	Size	Gzip	Brotli
assets/AboutPanel-Bq9ApgWv.js
assets/AboutPanel-vGDNZsjA.js	10.1 kB	2.58 kB	2.27 kB
assets/CreditsPanel-3zjmHteo.js	21.9 kB	5.21 kB	4.54 kB
assets/CreditsPanel-CVBAywTM.js
assets/ExtensionPanel-CmlFl_jy.js	11.9 kB	2.75 kB	2.4 kB
assets/ExtensionPanel-DFmOwtDV.js
assets/KeybindingPanel-ByvuoRWl.js	15.1 kB	3.68 kB	3.24 kB
assets/KeybindingPanel-IQI7hKov.js
assets/ServerConfigPanel-D2PD5OIf.js
assets/ServerConfigPanel-DkqdX3-d.js	8.04 kB	2.08 kB	1.83 kB
assets/UserPanel-D0nz-wnp.js
assets/UserPanel-DkKa465r.js	7.76 kB	1.98 kB	1.72 kB

Category Total: 74.8 kB

Services

Business logic and services

File	Size	Gzip	Brotli
assets/keybindingService-Cnd76Vc_.js
assets/keybindingService-dioQY_yH.js	7.21 kB	1.75 kB	1.5 kB
assets/serverConfigStore-0ePJa9ml.js	2.79 kB	888 B	784 B
assets/serverConfigStore-CB-AA3JS.js

Category Total: 10 kB

Utilities

Helper functions and utilities

File	Size	Gzip	Brotli
assets/mathUtil-CTARWQ-l.js	1.07 kB	525 B	452 B

Category Total: 1.07 kB

Other

Uncategorized bundles

File	Size	Gzip	Brotli
assets/UserAvatar.vue_vue_type_script_setup_true_lang-C9bSkTC5.js	1.12 kB	577 B	494 B

Category Total: 1.12 kB

---

Overall Total Size: 12.5 MB
Total Bundle Count: 15

[claude]

[quality] high Priority

Issue: Generic error handling that swallows specific error details
Context: Using console.error(err) and returning false makes debugging difficult for users when clipboard operations fail
Suggestion: Log specific error message with context like 'Failed to parse clipboard data:' + err.message or provide user-friendly feedback

[claude]

[architecture] high Priority

Issue: Cross-cutting concerns violation - direct access to canvas store within utility function
Context: The pasteClipboardItems function directly calls useCanvasStore() which breaks the dependency injection pattern used in Vue composables
Suggestion: Pass canvas instance as parameter: pasteClipboardItems(data: DataTransfer, canvas: LGraphCanvas): boolean

[claude]

Comprehensive PR Review

This review is generated by Claude. It may not always be accurate, as with human reviewers. If you believe that any of the comments are invalid or incorrect, please state why for each. For others, please implement the changes in one way or another.

Review Summary

PR: Support cross domain/application copy/paste (#6087)
Impact: 44 additions, 28 deletions across 3 files

Issue Distribution

• Critical: 1
• High: 2
• Medium: 1
• Low: 0 (1 comment could not be posted due to line resolution issue)

Category Breakdown

• Architecture: 1 issue
• Security: 1 issue
• Performance: 0 issues
• Code Quality: 3 issues

Key Findings

Architecture & Design

The PR introduces a cross-domain clipboard functionality but has architectural concerns:

• The new pasteClipboardItems function directly accesses useCanvasStore(), violating dependency injection patterns
• Removal of element targeting validation may affect existing workflows
• Method visibility changes in LGraphCanvas lack documentation

Security Considerations

CRITICAL: The implementation has a potential XSS vulnerability where HTML content from clipboard is directly assigned to innerHTML without sanitization. This could allow malicious scripts to execute if an attacker can control clipboard HTML content.

Performance Impact

No significant performance impact identified. The changes maintain existing patterns for clipboard operations.

Integration Points

• Changes affect cross-application clipboard sharing
• Modifications to canvas event handling could impact existing extensions
• DOM manipulation patterns may need testing across different browser environments

Positive Observations

• Good use of btoa/atob for data encoding
• Proper error handling structure with try/catch blocks
• Maintains backward compatibility with existing clipboard operations
• Uses proper Vue composable patterns for most functionality

References

• MDN Clipboard API Security
• Vue Composables Best Practices
• DOMPurify Documentation

Next Steps

1. CRITICAL: Address the XSS vulnerability in pasteClipboardItems function before merge
2. Refactor pasteClipboardItems to use dependency injection
3. Add comprehensive tests for cross-domain clipboard functionality
4. Consider adding user-facing error messages for clipboard failures

---

This is a comprehensive automated review. For architectural decisions requiring human judgment, please request additional manual review.

[christian-byrne]

LGTM