Each test below attempts one of the architectural bypasses from the analysis.
If the hook or the existing detector catches the write, the tab redirects to
blocked.html — that redirect is the
“blocked” signal. If no redirect happens, the bypass succeeded;
paste into the textarea or click “Read clipboard” to confirm.
navigator.clipboard.writeText()
Expect: blockedAsync API, no copy/cut event. Step-1 hook on Clipboard.prototype.writeText should catch this.
navigator.clipboard.write() single-format
Expect: blockedSingle text/plain blob. Hook on Clipboard.prototype.write reads the blob and runs the regex.
navigator.clipboard.write() multi-format (HTML decoy)
Expect: blockedVisible HTML form is benign; text/plain is the command. Terminals paste plain text. Hook inspects the text/plain blob.
DataTransfer.setData
Expect: blockedUsed by drag-to-terminal lures. Hook on DataTransfer.prototype.setData intercepts. This test invokes setData directly to exercise the hook without requiring a drag gesture.
about:blank child frame
Expect: blockedManifest now sets match_about_blank: true, so the MAIN-world hook and bridge both load inside the child frame. Parent reaches into frame.contentWindow.navigator.clipboard; the child’s patched prototype catches it.
stopImmediatePropagation on copy
Expect: still bypassesPage installs a capture-phase listener on window that swallows the copy event before the selection-based detector sees it. Step 1 only covers the async API and DataTransfer; the selection → getSelection() path is unchanged. This test should still leave the payload on the clipboard.
Hidden textarea, programmatic selection of the payload, execCommand('copy'). The existing selection-based detector should match and clear the clipboard. Use this to confirm the extension is loaded before interpreting the other results.