From https://phabricator.services.mozilla.com/D135333#4873268: > Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item? > > That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout)
Bug 1774163 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
From https://phabricator.services.mozilla.com/D135333#4873268: > Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item? > > That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout) It can't hurt to check what Safari does to prevent this.
From https://phabricator.services.mozilla.com/D135333#4873268: > Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item? > > That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout) It can't hurt to check what Safari does to prevent this. Steps to play around with this: 1) Use current Nightly. 2) Flip the pref "dom.events.asyncClipboard.readText" to true. 3) Open https://jsfiddle.net/68hng59s/. 4) Click the "X" button. A "Paste" button should occur. Be aware of bug 1766803. 5) Press the shortcut key for pasting, "p" (assumes the browser's language is English).