Closed
Bug 841304
Opened 11 years ago
Closed 11 years ago
click to play feature supposedly "clickjackable"
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 832481
People
(Reporter: freddy, Assigned: keeler)
References
()
Details
Attachments
(1 file)
4.31 KB,
patch
|
Details | Diff | Splinter Review |
According to .mario, the click-to-play feature is clickjackable. Users could be tricked into enabling plugins and opening the attack surface of blocked plugins. From his tweet at https://twitter.com/0x6D6172696F/status/291861651907563520 (his account protected): > Why exactly is Firefox's Click-To-play overlay "clickjackable"? > http://bit.ly/U3fqkW Code-exec just one invisible click away His main point is that the click-to-play features is an overlay in the DOM. If the yes/no/never button was in the main browser window instead (like our geolocation prompt, as chrome does it), this issue would not arise. I'm marking this as core security, but feel free to lift this restriction if you oppose.
Assignee | ||
Comment 1•11 years ago
|
||
Well, this probably doesn't need to be core-security, because it's not really a secret. I think bug 838999 was opened in response to this tweet. If I recall correctly, there's also another bug along similar lines but with a different mechanism. The original specification for the feature explicitly stated that click-jacking prevention was out of scope. Now that we've got the initial implementation, we're going back and re-working some of the UI partly for this exact reason. There's a thread in dev.apps.firefox ("Click-to-play design wireframes") for anyone curious.
Updated•11 years ago
|
Group: core-security
Updated•11 years ago
|
Component: General → Plug-ins
Product: Firefox → Core
Assignee | ||
Comment 2•11 years ago
|
||
Here's a quick implementation of one idea we had ( http://cl.ly/image/3m202H2R001J ) My current approach is actually pretty terrible for multiple reasons: - I feel like I'm reinventing all the wheels - xul popup panels don't work unless the root binding (I think?) is xul. This means that I can't put a panel in the plugin problem binding and have it work on a per-element basis. So, I had to put a panel in browser.xul, which has all sorts of problems. Any feedback would be appreciated.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Comment 3•11 years ago
|
||
I'm just going to mark this a duplicate.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•