Prevent webpages forcing picture-in-picture without user consent
Categories
(Toolkit :: Picture-in-Picture, defect, P3)
Tracking
()
People
(Reporter: bugzilla, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fidefe-MR1-2022])
Attachments
(2 files, 1 obsolete file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
A webpage can make an invisible video follow the mouse cursor, causing a video to pop up in picture-in-picture mode if the user clicks anywhere on the page. This could be used by spammy websites to create autoplaying video popup ads.
Actual results:
The PiP flyout on an invisible video can be unintentionally clicked by a user.
Expected results:
Either make the PiP flyout always visible, regardless of video opacity. Or prevent the PiP flyout displaying if the video is not visible.
|
Reporter | |
Comment 1•5 years ago
|
||
The attached PoC shows how this could work. Clicking anywhere in the page causes the video to go into PiP mode and start autoplaying.
|
||
Comment 2•5 years ago
|
||
Can confirm. Mike, you might want to take a look right away.
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
•
|
||
I'm investigating this right now, but I think we need a call from pascal or astevenson on whether or not:
- We ship with this problem on 71 on Windows, and fix it in a dot release
- We should disable PiP in 71 on Windows, until a dot release with a fix
- We ship with this problem on 71 on Windows, and have it fixed in 72+
- Disable PiP in 71 on Windows, and re-enable for everyone in 72+ with the fix.
|
||
Comment 4•5 years ago
|
||
Uplift options for a RC3 before Monday:
Option 1: Can you provide a fix we uplift and do a RC3 over the week end?
Option 2: Can you provide a disabling patch for the feature?
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 5•5 years ago
|
||
Apologies, I didn't realise this would be quite so high priority since the same behaviour is already a 'feature' of Chrome's Picture-in-Picture Web API.
|
||
Comment 6•5 years ago
|
||
|
|
||
Comment 7•5 years ago
|
||
|
|
||
Comment 8•5 years ago
|
||
I am decreasing the severity since chromium browsers are affected and they already ship the feature, it doesn't block this week release.
|
|
||
Comment 9•5 years ago
|
||
(In reply to Paul Stone from comment #5)
Apologies, I didn't realise this would be quite so high priority since the same behaviour is already a 'feature' of Chrome's Picture-in-Picture Web API.
Thanks for filing, Paul! Also, thanks for bringing to our attention that the other browsers also have a similar problem.
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 10•4 years ago
|
||
With bug 1600372 fixed, setting opacity: 0 prevents the PiP flying being clickable. However, the following things still work:
- opacity: 0.001
- filter: opacity(0)
- using an feColorMatrix SVG filter to set the alpha to 0
|
|
||
Comment 11•4 years ago
|
||
I am marking this one as wontfic for 71 as we have no dot release planned and we are half way to 72 in our release cycle.
|
||
Updated•4 years ago
|
|
||
Comment 13•3 years ago
|
||
Even with autoplay disabled, the broken scrolling often gives me migraines, nausea, sometimes vomiting.
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•