Bug 1774163 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

From https://phabricator.services.mozilla.com/D135333#4873268:

> Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item?
> 
> That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout)
From https://phabricator.services.mozilla.com/D135333#4873268:

> Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item?
> 
> That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout)

It can't hurt to check what Safari does to prevent this.
From https://phabricator.services.mozilla.com/D135333#4873268:

> Orthogonally, I recall that we talked about this project quite a while ago. I don't remember with 100% certainty if I raised it at the time (I hope/think I did?): what are we doing to prevent clickjacking/keyboard-jacking of the menu item?
> 
> That is, if I wrote a malicious website that said something like: "Press P lots of times to win a prize", and call this API on the first keypress, and expect the second keypress to activate the access key of the context menu item (on linux/windows) - does that work? Are we trying to avoid that working? (the typical workaround would be to disable the menuitem initially and enable it on a timeout)

It can't hurt to check what Safari does to prevent this.

Steps to play around with this:

1) Use current Nightly.
2) Flip the pref "dom.events.asyncClipboard.readText" to true.
3) Open https://jsfiddle.net/68hng59s/.
4) Click the "X" button. A "Paste" button should occur. Be aware of bug 1766803.
5) Press the shortcut key for pasting, "p" (assumes the browser's language is English).

Back to Bug 1774163 Comment 0