1410589 - ui:dropdown button while page asks for location is a bad exp.

Status: RESOLVED WONTFIX

(Firefox :: Site Identity, defect)

Description

[mojo]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160802213348

Steps to reproduce:

nuthing just vist a site which asks for location


Actual results:

ui
a normal peep can be distracted by manipulating the mouse pointer to see the other part of the screen and allow him for sharing location 

i remember the guy who manipulated mouse pointer in screen in the clickjackin attack
this can be used here


Expected results:

a different auth box

IN THE CENTER OF THE PAGE.

Comment 1

[mojo]

the mouse manipulation attack was explained in defcon i think.

Comment 2

[Daniel Veditz [:dveditz]]

Popping up a prompt in the middle of the page is 1) worse for "surprise click" attacks, and 2) more easily spoofed because that area can be entirely displayed by the web content. By overlapping the Chrome area (not enough IMHO) the "doorhanger" tries to be an unspoofable piece of UI.  The permission should not be granted unless the user clicks the right area of the button, shouldn't be possible to grant by distracting them elsewhere.

(there's also the "fake cursor" trick where the user looks at a fake image that moves with the real cursor but offset so they hopefully don't notice the real cursor clicking on something.)

Comment 3

[Johann Hofmann [:johannh]]

If you have an actual proof of concept for a click-jacking attack, please (responsibly) report it. As said in comment 2, the points in this bug don't give us reason to change the prompt. As long as we display page content while showing the permission prompt there's no way to fully prevent "fake cursor" attacks, which is a trade-off we're willing to take at this point.