Open Bug 1576725 Opened 5 years ago Updated 2 years ago

Consider requiring user action for window.print

Categories

(Core :: DOM: Core & HTML, enhancement, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
68 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: elliottabarnes, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I've classed this as a potential security/privacy issue; please feel free to declasify this if it's not felt that this particular issue is appropriate to be categorised as so. Tested with Firefox 68.0.2 on Windows 7 X64.

Currently, it appears that Firefox allows the "Print" dialog to automatically be invoked by a web page upon loading. This could potentially be exploited via the following workflow:

  1. An attacker sends an email to a Firefox user, which has an embedded link within its content

  2. Upon clicking the link, the user is directed to a web page hosted by the attacker that triggers the Print dialog to be invoked

  3. Not thinking any more of it, the user either hits the Enter key on their keyboard, or simply clicks the "OK" button; either option will tell Firefox to print the content of the page via the user's default printer

In this situation, the content of the web page could be anything chosen by the attacker. In corporate environments, this becomes more of a risk; imagine that the web page contains a password dump of the user's personal Internet accounts that has been found via a database leak. In certain printer configurations, this could cause this information to be printed and picked up by anybody physically passing the printer - and the user may not even know that the printing happened in the first place.

Actual results:

See above.

Expected results:

In these situations, Firefox shouldn't allow the Print dialog to be opened unless explicitly asked to do so by the user.

This is well-known, there's a lot of web apps that will do this in a popup if you click an in-app "print" button, and other browsers behave the same, so probably no point keeping this hidden. Also moving to DOM, as adding e.g. popup-based restrictions around popping up a print dialog would come under the DOM window.print() implementation.

Group: firefox-core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Huh, TIL we have a popup blocker for print dialogs: https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/dom/base/nsGlobalWindowOuter.cpp#2683

That probably means this doesn't qualify for an evil trap.

We should really have a shared mechanism for blocking all annoying/spammy dialogs.

Personally I think it's a sensible idea to add window.print() behind user gesture, but it's probably a pain to deal with the webcompat fallout (for comparatively little security gain, IMO). Would be nice to go back in time...

I'm slightly worried that changing this would break some sites that offer stuff for printing for legitimate purposes but feel that they need to micromanage stuff instead of letting the user choose "Print" from the "File" menu.

Type: defect → enhancement
Priority: -- → P3
Summary: Firefox: Don't allow Print Dialog to Automatically be Shown upon Page Load via Window.Print and Similar → Consider requiring user action for window.print
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.