Closed Bug 1428913 Opened 3 years ago Closed 2 years ago
Don't allow entering fullscreen on right / middle click
47 bytes, text/x-phabricator-request
|Details | Review|
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180108100050 Steps to reproduce: This bad site: http://toolantivirusextt.biz/ff/?_subid=3jpku2d46hbgv2g7jbd&_token=uuid_3jpku2d46hbgv2g7jbd_3jpku2d46hbgv2g7jbd5a4a3a2b64a7b0.53500257 Right-clicking or middle-clicking on the page opens it in full screen. Expected results: I think Firefox should check which button the user clicked and then decide to open in full screen or not. Full screen should only work for left-click.
What do you think?
In Microsoft Edge, the site does not enter in full screen mode when clicking on the page.
Jonathan, who's working on full screen mode these days?
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(jkt)
Summary: prevent malicious website from entering fullscreen → Don't allow entering fullscreen on right / middle click
Or what do you think of this idea? Make full screen only work for button elements? Is this a good idea?
(In reply to kernp25 from comment #4) > Or what do you think of this idea? > Make full screen only work for button elements? > Is this a good idea? That would contravene the spec and probably break genuine websites that use fake buttons implemented in <div> or <a> or whatever. I don't see a good heuristic way to really do much about these types of sites given the way requestFullScreen currently works. Even checking the size of the element that's requesting full screen won't help because the websites can just tile <body> with single elements that aren't too big.
This site is really bad and should be completely blocked by Firefox.
This is one of the eviltraps that we are tracking. I'm not sure who maintains fullscreen at the moment. I thought for some reason someone was looking into this recently though. We probably could prevent: - Right click opening fullscreen - Fullscreen from opening when another browser prompt is shown Other than that, this really should be picked up by phishing/malware protection lists which would block sites like this.
Reproducible on Windows 10 x 64, Windows 7 x32, Mac OS X 10.12 and Ubuntu 16.04 x64 on Firefox nightly 60.0a1 (2018-02-04).
Component: Untriaged → Event Handling
Product: Firefox → Core
Component: Event Handling → User events and focus handling
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9065441 - Attachment description: Bug 1428913 - Deny full-screen on right or middle mouse button. r=johannh → Bug 1428913 - Deny full-screen on right or middle mouse button. r=smaug
You need to log in before you can comment on or make changes to this bug.