Cross-Device Work

A Cross-Device Clipboard That Respects Permissions and Privacy

Design a clipboard handoff between computer and phone with browser permissions, receipts, separate queues, offline behavior, conflict handling, history cleanup, and safe analytics.

Moving an address from a laptop to a phone, or a one-time code in the other direction, should be quicker than sending yourself a chat message. Yet “automatically sync the clipboard” is a hazardous promise. The system clipboard may contain a password, recovery code, customer record, or private key from the previous minute. A web page should not keep reading and broadcasting it in the background.

Convenience and safety can coexist. Treat clipboard sharing as one deliberate handoff, then make connection state, delivery, queues, conflicts, and local history understandable.

Why a browser cannot sync silently

The Clipboard API requires a secure context and commonly applies permission or transient user-activation rules to reads. Details vary between browsers, and background pages face tighter restrictions. A receive-side click is also a good boundary for writing to the system clipboard: the person knows what is being copied.

A more reliable flow than polling once per second is: on A, click Read or paste into a field, inspect the preview, and send. B sees content type and source, then chooses Copy. A trusted device connection does not make every piece of content automatically trusted.

An item is more than a string

Each item needs an ID, sending device, creation time, content type, byte size, and status. The body travels over the encrypted P2P channel. Status can be pending, delivered, copied, expired, deleted, or cancelled. Plain text is the dependable foundation; images and rich content need explicit size limits and fallback.

Never inject remote HTML into the page. Render as text or apply strict sanitization. Links open only after a click and should reveal their actual domain. Collapse very long text so one multi-megabyte item cannot freeze the interface or delay connection control.

Offline behavior and separate queues

In pure P2P mode, an offline peer cannot receive. The sender may retain a short-lived local pending item and ask whether to continue after recovery, or mark it undelivered. Server-backed storage is a separate data boundary that requires an explanation of encryption, retention, capacity, and deletion.

Outgoing and incoming queues should be separate. When both peers send, IDs deduplicate items instead of a global “latest value” overwriting one side. After reconnection, exchange acknowledged IDs and retry only unconfirmed items. A delete or cancel is a terminal state and must not return on the next session.

Concurrent items are not a conflict to erase

If A and B each create an item during a disconnect, choosing by local timestamp is unsafe because device clocks differ. Keep both items and show their source in receive order. A longer synchronized history can use per-device monotonic counters plus a session or server logical clock.

History should remain local by default and have a cap, such as twenty items or twenty-four hours. Password-like strings, one-time codes, and private-key markers can trigger a “sensitive, clear soon” hint, but no detector recognizes every secret. Provide immediate per-item deletion and clear-all for the current device.

Text, images, and files need different treatment

A screenshot can be a clipboard image or a file. A small image is convenient to preview and copy; a large image belongs in the file protocol with chunks, backpressure, resume, and a digest. URLs, phone numbers, and email addresses may offer actions, but ordinary Copy must remain and the site should never execute an action automatically.

Rich text loses fidelity across platforms. Send text/plain alongside a constrained format description and fall back to text on unsupported receivers. A MIME label from a peer is only a claim; validate bytes before rendering.

Protect content from telemetry and notifications

Clipboard bodies, exact lengths, hashes, previews, and source applications do not belong in analytics. Useful events are feature opened, coarse type, size bucket, delivery outcome, copy action, expiry, and deletion. Error messages must not interpolate the body before they are collected.

On a shared computer, locking the page, signing out, or revoking trust can clear local history according to user preference. Notifications should say “Clipboard item received” rather than displaying the full content on a lock screen.

Test every handoff state

Test A sending text and B copying it; B declining; simultaneous sends; disconnect before send; lost delivery acknowledgement; reconnect deduplication; delayed cancellation; very long and empty text; emoji and multilingual text; an HTML script fragment; a small image and an oversized one; refresh; expiry; clear-all; and notification previews.

Across browsers, also test denied permission, background tabs, and environments without clipboard read. Offer a manual paste field as fallback instead of disabling the whole feature. The uCopy P2P clipboard centers explicit handoff: you decide which item leaves one device and which item enters the other device’s clipboard.

Put the guide to work

Open uCopy and connect two devices securely from the browser.

Start for free