Open Bug 1543202 Opened 6 years ago Updated 3 years ago

Keyboard shortcut highlights menu despite being consumed by web content

Categories

(Core :: Widget: Cocoa, defect, P3)

Product:
Core
Component:
Widget: Cocoa
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: Atoll, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-low)

I was instructed by :dao to file this new bug from bug 1381951 comment 6, where we're allowing the menu to highlight as if it were activated even though the keystroke is captured by Javascript. I think that this bug is likely deeply intertwined with bug 1381951, but I don't know the Firefox macOS UX codebase. :dao, please revise or correct me as you see fit here.

There's a UX bug whether you choose to permit websites to override Preferences or not: the 'Firefox' menu title in the menu bar highlights blue briefly when the key is pressed, but then doesn't open the Preferences.

So it should either highlight blue and open prefs, or not highlight and not open prefs.

It would be very easy to set up a phishing site that looks like about:preferences and bind it to Cmd-, on a bunch of poor-quality websites, especially for entrapping expert users.

Group: core-security
status-firefox68: affected → ---
Component: General → Widget: Cocoa
Priority: P4 → --
Product: Firefox → Core
Summary: [macOS X] Keyboard shortcut for Preferences highlights menu after being blocked by websites → Keyboard shortcut highlights menu despite being consumed by web content

Maybe Markus or :spohl can help explain what's responsible for the highlighting.

I'm not convinced this needs to stay sec-sensitive as the phishing risk should be taken care of by bug 1381951.

Flags: needinfo?(spohl.mozilla.bugs)
Flags: needinfo?(mstange)

Apologies, I didn't realize this needed a sec- flag :(

Well we need to wait reply events of all non-consumed events here? It might make the main process performance worse...

(In reply to :Gijs (he/him) from comment #1)

I'm not convinced this needs to stay sec-sensitive as the phishing risk should be taken care of by bug 1381951.

Bug 1381951 being fixed doesn't mean web content can't override shortcuts anymore, but just that it can't override that particular one.

Group: core-security
Keywords: csectype-spoof, sec-low

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900)(Might be slow response) from comment #3)

Well we need to wait reply events of all non-consumed events here? It might make the main process performance worse...

You beat me to it, but yes, it looks like it. This is responsible for giving the visual feedback in the menu bar.

Flags: needinfo?(spohl.mozilla.bugs)
Flags: needinfo?(mstange)
Priority: -- → P3
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE

Pretty sure this is still the case so we probably shouldn't close it.

Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.