PictureInPictureChild should only process trusted events

RESOLVED FIXED in Firefox 68

Status

()

defect
P2
normal
RESOLVED FIXED
3 months ago
22 days ago

People

(Reporter: mconley, Assigned: mconley)

Tracking

(Blocks 1 bug)

68 Branch
mozilla68
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify ?

Firefox Tracking Flags

(firefox68 fixed)

Details

Attachments

(1 attachment)

Currently, PictureInPictureChild listens for canplay, mousemove and mousedown events.

We don't appear to do anything to ensure that these aren't synthesized events being dispatched by page JS. We should do that.

I stumbled onto this because of an ad on a cbc.com website that was for some reason dispatching mousemove events inside of the top-level document from within a subframe, so the clientX and clientY coordinates we were getting were not making much sense.

See Also: → 1545872
Priority: -- → P2
Blocks: 1545872
Type: defect → task
Assignee: nobody → mconley
Status: NEW → ASSIGNED
Type: task → defect
Pushed by mconley@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/be001f8ade5a
Make PictureInPictureChild process trusted events only. r=jaws
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Hi Mike,
Could we manually verify this issue?

Flags: qe-verify?
Flags: needinfo?(mconley)

Hi brindusat,

Thanks for reaching out - I don't think this needs to be manually verified - I added an automated test for this: https://searchfox.org/mozilla-central/rev/0671407b7b9e3ec1ba96676758b33316f26887a4/toolkit/components/pictureinpicture/tests/browser_cannotTriggerFromContent.js

Flags: needinfo?(mconley)
You need to log in before you can comment on or make changes to this bug.