Don't allow entering fullscreen on right / middle click

RESOLVED FIXED in Firefox 69

Status

()

defect
P3
normal
RESOLVED FIXED
2 years ago
Last month

People

(Reporter: kernp25, Assigned: pbz)

Tracking

(Blocks 1 bug)

unspecified
mozilla69
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox69 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180108100050

Steps to reproduce:

This bad site: http://toolantivirusextt.biz/ff/?_subid=3jpku2d46hbgv2g7jbd&_token=uuid_3jpku2d46hbgv2g7jbd_3jpku2d46hbgv2g7jbd5a4a3a2b64a7b0.53500257

Right-clicking or middle-clicking on the page opens it in full screen.




Expected results:

I think Firefox should check which button the user clicked and then decide to open in full screen or not.

Full screen should only work for left-click.
Reporter

Comment 1

2 years ago
What do you think?
Flags: needinfo?(gijskruitbosch+bugs)
Reporter

Comment 2

2 years ago
In Microsoft Edge, the site does not enter in full screen mode when clicking on the page.

Comment 3

2 years ago
Jonathan, who's working on full screen mode these days?
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(jkt)
Summary: prevent malicious website from entering fullscreen → Don't allow entering fullscreen on right / middle click
Reporter

Comment 4

2 years ago
Or what do you think of this idea?
Make full screen only work for button elements?
Is this a good idea?

Comment 5

2 years ago
(In reply to kernp25 from comment #4)
> Or what do you think of this idea?
> Make full screen only work for button elements?
> Is this a good idea?

That would contravene the spec and probably break genuine websites that use fake buttons implemented in <div> or <a> or whatever.

I don't see a good heuristic way to really do much about these types of sites given the way requestFullScreen currently works. Even checking the size of the element that's requesting full screen won't help because the websites can just tile <body> with single elements that aren't too big.
Reporter

Comment 6

2 years ago
This site is really bad and should be completely blocked by Firefox.
This is one of the eviltraps that we are tracking.

I'm not sure who maintains fullscreen at the moment. I thought for some reason someone was looking into this recently though.

We probably could prevent:
- Right click opening fullscreen
- Fullscreen from opening when another browser prompt is shown

Other than that, this really should be picked up by phishing/malware protection lists which would block sites like this.
Blocks: eviltraps
Flags: needinfo?(jkt)

Comment 8

Last year
Reproducible on Windows 10 x 64, Windows 7 x32, Mac OS X 10.12 and Ubuntu 16.04 x64 on Firefox nightly 60.0a1 (2018-02-04).
Component: Untriaged → Event Handling
Product: Firefox → Core
Priority: -- → P3
Component: Event Handling → User events and focus handling
Assignee

Updated

2 months ago
Assignee: nobody → pbz
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9065441 - Attachment description: Bug 1428913 - Deny full-screen on right or middle mouse button. r=johannh → Bug 1428913 - Deny full-screen on right or middle mouse button. r=smaug
Assignee

Updated

Last month
Keywords: checkin-needed

Comment 10

Last month

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eaafaaab2b4d
Deny full-screen on right or middle mouse button. r=smaug

Keywords: checkin-needed

Comment 11

Last month
bugherder
Status: ASSIGNED → RESOLVED
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.