Closed Bug 1428913 Opened 3 years ago Closed 2 years ago

Don't allow entering fullscreen on right / middle click

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox69 --- fixed

People

(Reporter: kernp25, Assigned: pbz)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180108100050

Steps to reproduce:

This bad site: http://toolantivirusextt.biz/ff/?_subid=3jpku2d46hbgv2g7jbd&_token=uuid_3jpku2d46hbgv2g7jbd_3jpku2d46hbgv2g7jbd5a4a3a2b64a7b0.53500257

Right-clicking or middle-clicking on the page opens it in full screen.




Expected results:

I think Firefox should check which button the user clicked and then decide to open in full screen or not.

Full screen should only work for left-click.
What do you think?
Flags: needinfo?(gijskruitbosch+bugs)
In Microsoft Edge, the site does not enter in full screen mode when clicking on the page.
Jonathan, who's working on full screen mode these days?
Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(jkt)
Summary: prevent malicious website from entering fullscreen → Don't allow entering fullscreen on right / middle click
Or what do you think of this idea?
Make full screen only work for button elements?
Is this a good idea?
(In reply to kernp25 from comment #4)
> Or what do you think of this idea?
> Make full screen only work for button elements?
> Is this a good idea?

That would contravene the spec and probably break genuine websites that use fake buttons implemented in <div> or <a> or whatever.

I don't see a good heuristic way to really do much about these types of sites given the way requestFullScreen currently works. Even checking the size of the element that's requesting full screen won't help because the websites can just tile <body> with single elements that aren't too big.
This site is really bad and should be completely blocked by Firefox.
This is one of the eviltraps that we are tracking.

I'm not sure who maintains fullscreen at the moment. I thought for some reason someone was looking into this recently though.

We probably could prevent:
- Right click opening fullscreen
- Fullscreen from opening when another browser prompt is shown

Other than that, this really should be picked up by phishing/malware protection lists which would block sites like this.
Blocks: eviltraps
Flags: needinfo?(jkt)
Reproducible on Windows 10 x 64, Windows 7 x32, Mac OS X 10.12 and Ubuntu 16.04 x64 on Firefox nightly 60.0a1 (2018-02-04).
Component: Untriaged → Event Handling
Product: Firefox → Core
Priority: -- → P3
Component: Event Handling → User events and focus handling
Assignee: nobody → pbz
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9065441 - Attachment description: Bug 1428913 - Deny full-screen on right or middle mouse button. r=johannh → Bug 1428913 - Deny full-screen on right or middle mouse button. r=smaug
Keywords: checkin-needed

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eaafaaab2b4d
Deny full-screen on right or middle mouse button. r=smaug

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.