Closed
Bug 1033354
Opened 10 years ago
Closed 6 years ago
Gaia attention screen available to privileged apps bears clickjacking risks
Categories
(Firefox OS Graveyard :: Gaia::System::Window Mgmt, defect)
Firefox OS Graveyard
Gaia::System::Window Mgmt
Tracking
(blocking-b2g:-)
RESOLVED
INCOMPLETE
blocking-b2g | - |
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: csectype-spoof, sec-moderate)
Attachments
(3 files)
+++ This bug was initially created as a clone of Bug #991011 +++ A popup with the attention flag has no border and a transparent background. The popup is almost always on top and it is very hard for the user to distinguish between the active app's content and this popup (that may come from a rogue app). I am attaching some screenshots.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Reporter | ||
Comment 3•10 years ago
|
||
For me, the attention window switches unrealiably between the three modes shown in the screenshot. it is sometimes under or over the current app. Sometime's it shown alone with the background window behind and the current app not shown.
Comment 4•10 years ago
|
||
We probably should whitelist Loop to use attention screen for 2.0 & prevent other apps from using attention screen for 2.0, since doing a real fix here likely is going to be too much risk at this point of the release. I do think we need a fix here for 2.0 though, so I'm noming this.
blocking-b2g: --- → 2.0?
Reporter | ||
Updated•10 years ago
|
Whiteboard: [perf-reviewed]ft:loop → ft:loop
Updated•10 years ago
|
Component: Gaia → Gaia::System::Window Mgmt
Comment 5•10 years ago
|
||
Vivien, David -- Who is the best owner for this bug? We need an owner ASAP. Thanks!
Flags: needinfo?(david.scravaglieri)
Flags: needinfo?(21)
Reporter | ||
Comment 6•10 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #4) > We probably should whitelist Loop to use attention screen for 2.0 & prevent > other apps from using attention screen for 2.0, since doing a real fix here > likely is going to be too much risk at this point of the release. Yes. This will be covered in bug 1024396.
Comment 7•10 years ago
|
||
(In reply to Maire Reavy [:mreavy] (Plz needinfo me) from comment #5) > Vivien, David -- Who is the best owner for this bug? We need an owner ASAP. > Thanks! Fernando will work in bug 1024396 that covers this issue, so removing the ni to David and Vivien
Flags: needinfo?(david.scravaglieri)
Flags: needinfo?(21)
Comment 8•10 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #4) > > I do think we need a fix here for 2.0 though, so I'm noming this. Fully Agree. Jason, resolving the bug as duplicated and moving the nomination to bug 1024396
Status: NEW → RESOLVED
blocking-b2g: 2.0? → -
Closed: 10 years ago
Resolution: --- → DUPLICATE
Comment 9•10 years ago
|
||
While I agree this is fixed for 2.0 by bug 1024396 (mostly by exposing the permission only to Loop), if the attention screen is going to be exposed to all privileged apps for 2.1, this should be fixed. So keeping this open to track that.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 10•10 years ago
|
||
So this is a v2.1 bug, correct? (I just want to make sure it gets properly categorized.) Thanks.
Flags: needinfo?(amac)
Comment 11•10 years ago
|
||
If the special permissions introduced in 1024936 are going to be removed in 2.1, then yes, otherwise 2.2 (or whenever that's done).
Flags: needinfo?(amac)
Comment 12•10 years ago
|
||
(In reply to Antonio Manuel Amaya Calvo (:amac) from comment #11) > If the special permissions introduced in 1024396 are going to be removed in > 2.1, then yes, otherwise 2.2 (or whenever that's done). Thanks for clarifying.
Whiteboard: ft:loop
Comment 13•6 years ago
|
||
FirefoxOS is no longer under active development.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 6 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•