Web sites can steal ctrl+f

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
3 years ago
2 months ago

People

(Reporter: calestyo, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Hey.

This is basically the same as #1008772.

Websites, e.g. contacts.google.com can apparently steal Ctrl+F.
Instead of opening FF's search bar, which searches the current website, it instead goes forcibly to google's search field on the site (which searches however something completely different).

It's quite worrying that FF allows websites to steal so many key combinations... especially also from a security PoV.

Chris.

Comment 1

3 years ago
For clarity- It appears the first ctrl-f is captured. All subsequent ctrl-f's go to the browser's find handler. This is similar to chrome.
I don't think this is Developer Tools related, is it? I don't think DevTools can do anything about this, am I correct, Patrick?

Furthermore, I'm not sure up until which point can we get in the way of the website. How are they going to know all the shortcuts all browsers use?

(Sorry for the late response, sometimes bugs slip through the gaps)
Flags: needinfo?(pbrosset)
Sole is correct, this isn't a devtools thing, and there is not much the browser can do here.
e.preventDefault() can give websites a lot of power. And this is used by many of them to create nice user experiences.

Anyway, this:

addEventListener("keydown", e => {
  if (e.ctrlKey && e.key === "f") {
    document.body.appendChild(document.createTextNode("ctrl+F"));
    e.preventDefault();
  }
});

will capture ctrl+F on all browsers and prevent the search box from opening.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Flags: needinfo?(pbrosset)
Resolution: --- → WONTFIX
Another similar thing is "ctrl shift T" in a gmail message => instead of reopening the last closed tab, it moves to the next field in the message.

I believe we could do something in Firefox, like a pref preventing a website from stealing apps and system shortcuts. Or maybe a doorhanger notification "We noticed this website handled this shortcut that's also used by Firefox, do you want to execute this action instead?". At least this is not in devtools but maybe a bug could be filed against the Firefox product.

Updated

2 months ago
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.