Why do websites prevent pasting via onpaste="return false;"
Why do websites do this? Isn't it trivial for bots etc to easily side-step any protection this might give? Or is it just to make people "double-check" their inputs? I find it completely maddening because I would assume I'm way more likely to correctly input a copy-pasted e.g. routing or account number than if I have to manually enter anything. Can we just agree this is terrible UI and is probably detrimental to correct data entry? What am I missing? In frustration I even sometimes open the dev tools and remove this attribute on elements out of spite.
It is a god awful pattern! It should be gotten rid of across the web.
However, I have noticed that, on some fields, the field rejects certain input without any message if the input is not the correct intended field type. For example, copying a numeric one time password from an email which gets copied as string and pasting on a field which only accepts numbers. This might look like paste blocking but its not.
You're not wrong in any capacity. It's just bad and doesn't improve any "security" if that was intended.
> Can we just agree this is terrible UI
It is, but they had some "checklist" that included "block paste" for reasons unknown, and so they blocked pasting.
In firefox, if you change the about:config setting "dom.event.clipboardevents.enabled" to false you'll be able to paste no matter whether the website operator has "block paste" on their braindead checklist or not.