Open Bug 1558936 Opened 5 years ago Updated 2 years ago

U2F causes all windows to demand attention, even after auth

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: kevin, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

On Firefox 67.0.2 or 69.0a1 (2019-06-12):

  1. Open multiple Firefox windows.
  2. In one of the windows, visit a site which uses U2F (e.g. https://mdp.github.io/u2fdemo/#reg)
  3. Start U2F registration or authentication.

Actual results:

The "{site} wants to register an account with one or more of your security keys..." notification appears in all windows and all Firefox windows receive the _NET_WM_STATE_DEMANDS_ATTENTION window manager state (which causes them to blink in the XFCE Panel). Clicking "Cancel" on the notification, clicking away, changing focus, or authenticating with a U2F device dismisses the notification, but all windows remain in the _NET_WM_STATE_DEMANDS_ATTENTION state until focused (which causes the window manager to clear the state).

Expected results:

When authentication is resolved (canceled or completed) the _NET_WM_STATE_DEMANDS_ATTENTION state is cleared on all windows.

Personally, I would expect the notification and _NET_WM_STATE_DEMANDS_ATTENTION state to only be set on the window requesting authentication, and that changing focus (especially to the requesting window) would not cancel authentication. Perhaps those are separate bugs?

Not sure if this is a window manager issue that belongs in core::widget:kde or a core::dom: web auth bug.

Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core

This is quite annoying when you have 20 or 30 Firefox windows open and use U2F regularly.

I tracked it down to WebAuthnPromptHelper in browser.js being initialized for each Firefox window. When U2FTokenManager sends the "webauthn-prompt" message, each observer creates the notification for its window. PopupNotifications.jsm calls this.window.getAttention(), which is what causes the flashing. I'm not sure if this is just the wrong way to do it and it needs to be reworked, or if some sort of window identifier needs to be passed along to allow other windows to ignore the message.

I'm no longer able to reproduce this issue. I believe it was fixed by https://hg.mozilla.org/integration/autoland/rev/b4b7e943b93cdc77a479bd5484f7661985bdb7d4 for Bug 1540309.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.