Day 4 of building ReFind, and I found a bug that I'm embarrassed took me
this long to find.
My clipboard listener Chrome extension was capturing everything I copied.
Not just URLs — passwords, phone numbers, random text, partial sentences.
All of it was being sent to my webhook endpoint without any validation.
Here's how I fixed it and why this validation step should be first in
any clipboard-touching Chrome extension.
The Problem
The clipboard listener flow looked like this:
- Copy event fires
- Extension reads clipboard
- Extension sends to webhook
Step 3 had no filter. Every copy event, every piece of content, went through.
The Fix: URL Validation Regex
I added a validation check as the absolute first step in the pipeline,
before any processing, storage, or network calls:
const URL_PATTERN = /^https?:\/\/[^\s$.?#].[^\s]*$/i;
function isValidUrl(text) {
return URL_PATTERN.test(text?.trim());
}
// In the event handler:
const clipboardText = await readClipboard();
if (!isValidUrl(clipboardText)) return; // Drop immediately
This check happens before anything else. If the content isn't a URL,
the handler returns immediately. Nothing is logged, nothing is sent,
nothing is stored. The clipboard data is discarded.
Why This Is a Privacy Issue, Not Just a Bug
An extension that captures clipboard content without validation is
functionally capturing everything the user copies. In a world where
users copy passwords, OTPs, sensitive messages, and personal information —
this is a meaningful privacy problem.
Chrome's extension permission model requires justifying clipboard access
in your store listing. An extension that uses that access broadly (capturing
everything) and narrowly describes itself (URL collector) is at risk of
policy violations, user trust issues, and justified negative reviews.
The Validation Should Be First, Not Last
The instinct when building is to "add validation later." This is the wrong
order for clipboard extensions. Validate at the earliest possible point
in the pipeline — before you do anything with the data.
If you're building something that touches the clipboard, the first line
of your handler should be a validity check that drops everything you
don't intend to process.
This one addition changes the security profile of the extension entirely
Top comments (0)