Closed Bug 841304 Opened 11 years ago Closed 11 years ago

click to play feature supposedly "clickjackable"

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 832481

People

(Reporter: freddy, Assigned: keeler)

References

(
URL
)

Details

Attachments

(1 file)

prototype
4.31 KB, patch
Details | Diff | Splinter Review 
According to .mario, the click-to-play feature is clickjackable. Users could be tricked into enabling plugins and opening the attack surface of blocked plugins.

From his tweet at https://twitter.com/0x6D6172696F/status/291861651907563520
(his account protected):
> Why exactly is Firefox's Click-To-play overlay "clickjackable"?
> http://bit.ly/U3fqkW  Code-exec just one invisible click away

His main point is that the click-to-play features is an overlay in the DOM. If the yes/no/never button was in the main browser window instead (like our geolocation prompt, as chrome does it), this issue would not arise.


I'm marking this as core security, but feel free to lift this restriction if you oppose.
Well, this probably doesn't need to be core-security, because it's not really a secret. I think bug 838999 was opened in response to this tweet. If I recall correctly, there's also another bug along similar lines but with a different mechanism.

The original specification for the feature explicitly stated that click-jacking prevention was out of scope. Now that we've got the initial implementation, we're going back and re-working some of the UI partly for this exact reason. There's a thread in dev.apps.firefox ("Click-to-play design wireframes") for anyone curious.
Group: core-security
Component: General → Plug-ins
Product: Firefox → Core
Depends on: 832481
Attached patch prototypeSplinter Review 
Here's a quick implementation of one idea we had ( http://cl.ly/image/3m202H2R001J )
My current approach is actually pretty terrible for multiple reasons:
 - I feel like I'm reinventing all the wheels
 - xul popup panels don't work unless the root binding (I think?) is xul. This means that I can't put a panel in the plugin problem binding and have it work on a per-element basis. So, I had to put a panel in browser.xul, which has all sorts of problems.
Any feedback would be appreciated.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
I'm just going to mark this a duplicate.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: