Don't hide the status panel (status bar) while a link's context menu is open
Categories
(Firefox :: Tabbed Browser, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox76 | --- | fixed |
People
(Reporter: anasfalhi4, Assigned: dao)
References
Details
(Keywords: reporter-external)
Attachments
(3 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
Steps to reproduce:
i created an HTML file that contains a hyperlink tag which changes it's value when the mouse right click is triggered to a phishing website.
index.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Test</title>
</head>
<body style="background-color: black">
<a style="color:white;text-decoration: none;" href="https://www.facebook.com" oncontextmenu="this.href='https://www.evilwebsite.com'"><h1>Facebook<h1></a>
</body>
</html>
Actual results:
Changing the href attribute value right after the right-click menu is triggered
without any way for the "victim" to notice that.
*please see attached video
Expected results:
the same bug was tested on chrome but in chrome seems to handle it well
because the left-bottom bar in the corner remains visible even after the right click while in firefox it disappears.
*please see attached video
|
||
Comment 1•5 years ago
|
||
It seems strictly better not to hide the status bar when the context menu shows, so that's a valid bug. It should also update if the link changes, for which we have bug 1438660 already on file.
However, in terms of the security implications, we have oodles of bugs on this type of thing on file (see also bug 229050), and the phishing case for the context menu isn't really very compelling given you can do it on mousedown for most "normal" link clicks, undetected, and you could probably cobble something together with the context menu event (or just prevent it) by using a timeout or doing more detailed mouse tracking, to change the link only right before you actually use one of the context menu items.
In your video, I don't see the status tooltip at all in the Firefox case, so I'm not sure how this relates to comment #0 - but the hiding of the tooltip will be due to mouse movement (away from the link, in this case, onto the context menu), not due to the fact that the context menu opens per se.
In the case of mousedown there is a chance that the user may notice what's going on, given this code:
<a href="https://www.twitter.com" onmousedown="this.href='https://www.ohjeez.com'">TWITTER</a>
if you hold down the left mouse button you will see that the status bar shows the actual domain that you are going to, even tho the action is fast but the hidden URL is still shown so there is a chance that the user may see it, unlike contextmenu there is no way a user can notice the attack no matter how fast you perform the action.
another thing that i am sure i am not the only one who do it is that sometimes i like to drag the hyperlink to the tabs bar to avoid leaving the current page sometimes i prefer it over CTRL+LEFT MOUSE/ Command+LEFT MOUSE and while dragging it to the tabs bar obviously it's shown in the status bar.
In the video you can actually see the status bar for like 3 seconds when hovering the hyperlink but it disappears right after the context menu opens and that's the problem, the status bar should remain visible just like in chrome's case
you are right about the status bar not showing i apologize seems like there is a problem with the uploaded video i'll try to re-upload it
|
||
Updated•5 years ago
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
|
||
Updated•6 months ago
|
Description
•