Closed Bug 1535444 Opened 1 year ago Closed 1 year ago

MozTogglePictureInPicture shouldn't be accepted from untrusted sources

Categories

(Toolkit :: Video/Audio Controls, enhancement)

enhancement
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- verified

People

(Reporter: mconley, Assigned: mconley)

Details

Attachments

(1 file)

Honestly, I'm not sure why this was set, but we definitely don't want websites to just be able to fire this event and cause Picture-in-Picture to happen.

In an overabundance of caution, I'm marking as a security bug - the handler is Nightly-only for now, and I think it's pretty benign, but why not be careful.

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Assignee: nobody → mconley

Verified as fixed on the latest Beta version based on the fact that an automated test was implemented specifically for this issue. For more information please see bug 1535454

Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.