Closed
Bug 1414937
(CVE-2024-5697)
Opened 8 years ago
Closed 2 years ago
Websites should not be able to detect that someone is taking a screenshot of them
Categories
(Firefox :: Screenshots, defect, P2)
Firefox
Screenshots
Tracking
()
RESOLVED
FIXED
People
(Reporter: clouserw, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: csectype-disclosure, privacy, sec-low, Whiteboard: [fixed by bug 1870127][screenshots-extension][adv-main127+])
Attachments
(1 file)
|
212 bytes,
text/plain
|
Details |
It's currently possible to detect the frame we're injecting. It shouldn't be possible to detect someone taking a screenshot.
I'm not going to file a separate bug because it's probably a subset, but "A website should not be able to interfere with someone taking a screenshot" is a part of this bug also, and if it's a different technical solution we should file that bug separately.
|
||
Comment 1•8 years ago
|
||
Shane has been experimenting with an overlay API: https://github.com/mixedpuppy/layers – it's just an experiment, not something that's gone through design or prioritization.
|
||
Comment 2•8 years ago
|
||
TBH, I'm not really sure this should depend on bug 1340930 being implemented, it's not clear that we will.
|
||
Updated•8 years ago
|
|
||
Updated•5 years ago
|
Severity: normal → S4
Priority: -- → P2
|
|
||
Comment 4•4 years ago
|
||
Note also, from dupe 1753823, that detecting the screenshot elements also allows grabbing the unique moz-extension:// guid, allowing the user to be exactly identified in the future. That's already known as a general issue from injected Web Extension content, and affects some extensions much worse (this one only allows users to be tracked when they take screenshots, but most people don't do that all the time).
Type: enhancement → defect
Whiteboard: [fingerprinting]
|
||
Updated•3 years ago
|
Whiteboard: [fingerprinting] → [screenshots-extension]
|
|
||
Comment 5•2 years ago
|
||
Fixed in nightly with the pref flipped in bug 1870127 to make the new implementation the default. We now avoid injecting the iframe and use the anonymous content document to host the overlay UI.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
|
|
||
Updated•2 years ago
|
Group: firefox-core-security → core-security-release
status-firefox126:
--- → wontfix
status-firefox127:
--- → fixed
status-firefox-esr115:
--- → wontfix
Depends on: 1870127
Whiteboard: [screenshots-extension] → [fixed by bug 1870127][screenshots-extension]
|
||
Updated•2 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•2 years ago
|
Whiteboard: [fixed by bug 1870127][screenshots-extension] → [fixed by bug 1870127][screenshots-extension][adv-main127+]
|
|
||
Comment 6•2 years ago
|
||
|
|
||
Updated•2 years ago
|
Alias: CVE-2024-5697
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•