Website can re-enter fullscreen on ESC key and trap user in fullscreen
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
People
(Reporter: pbz, Assigned: edgar)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [adv-main77-][post-critsmash-triage])
Attachments
(1 file, 1 obsolete file)
When the user exits DOM fullscreen via ESC key the website can instantly enter fullscreen again, trapping the user. This seems to be a regression.
PoC here: https://eviltrap.site/trap/fullscreen-traps/fullScreenTrap.html
PoC source: https://github.com/Trikolon/evil-traps/blob/70634fd80c779916392081a93c35462a33c22800/src/traps/fullscreen-trap/static/fullScreenTrap.html
Mozregression result: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=19ac681aac4bcb6d24738e0ecc1e1810660ed0da&tochange=603a39b6be5a593c1226001410e8fff73466dda6
Comment 1•5 years ago
|
||
[Tracking Requested - why for this release]:
Sites can lock users into fullscreen, inviting lots of DOS and spoofing possibilities. Try the demo.
Okay, this is really bad. If you try out the POC users can be very easily trapped in fullscreen until they figure out to close the window with Ctrl+W, which I assume is never for some users. The whole system gets taken over that way. This is a sec-high at least, IMO.
Edgar, can you take a look? I think we need to consume the user activation when exiting fullscreen.
Comment 2•5 years ago
|
||
This is a sec-high at least, IMO.
Reconsidering this I guess we have similarly bad DOS issues that can kill Firefox instantly which we have categorized as sec-moderate so there's that. Still worth tracking for Beta and possibly release because it's so easy for hackers to exploit for their purposes.
Comment 3•5 years ago
|
||
Not a lot of time left this cycle for a fix to ship in 76 (RC is next week), but I'd take a low-risk patch.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
•
|
||
(In reply to Johann Hofmann [:johannh] from comment #1)
Edgar, can you take a look? I think we need to consume the user activation when exiting fullscreen.
Only consuming the user activation seems not enough because keydown event is also considered as an user-activation event.
Blink also treat keydown as an user-activation event, but filters out ESC
key, we probably should also do the same thing.
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
Assignee | ||
Comment 6•5 years ago
|
||
Depends on D72199
Updated•5 years ago
|
Updated•5 years ago
|
Comment 7•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/14c8489ad453cd7ac01d9b406d5a5f3f8121a022
https://hg.mozilla.org/mozilla-central/rev/14c8489ad453
Updated•5 years ago
|
Comment 8•5 years ago
|
||
Reproduced the initial issue on version 77.0a1 (2020-04-19) using Windows 10.
Verified - Fixed in version Nightly 77.0a1 (2020-05-01) (build id: 20200501094247) using Windows 10, Windows 7, MacOs 10.15.5 and Ubuntu 18.04.
Updated•5 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•