It's possible to screen-capture the next tab after tab close
Categories
(Firefox :: Site Permissions, defect, P2)
Tracking
()
People
(Reporter: jib, Assigned: pbz)
References
(Blocks 1 open bug, )
Details
(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [adv-main85+])
Attachments
(2 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
|
203 bytes,
text/plain
|
Details |
From bug 1641802 comment 4, when screen-capturing the Firefox window (or the "Entire screen" with Firefox on it), JS may capture a split second after tab close, capturing the next tab shown. This is not POLA, and could be exploited to put users' privacy at risk.
STRs:
- Open a random victim tab, e.g. https://gokitty.com
- Open https://fiddle.jshell.net/jib1/0sjrmkuh/show
- Click the
Capture screen!button, and select the Firefox window (or Entire Desktop) + Allow - Close the fiddle tab.
- Re-open the fiddle tab.
Expected result:
- A screen-grab of the fiddle tab
Actual result:
- A screen-grab of gokitty.com
I've tried it on both Windows 10 and macOS 10.15.4. My success-rate is about 1/5 times.
Similarly, I've tried sending the capture to another tab over WebRTC (open this in two tabs), but not had success reproing that way. Although, this being timing-related, we perhaps shouldn't rule it out.
The repro fiddle doesn't work in release for some reason (uncaught exception: Object), it's unclear why. But this weakness is most likely not a regression, and an exploit that works in release could presumably be written.
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
The severity field is not set for this bug.
:pbz, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 2•4 years ago
|
||
Thanks! I'll have a look.
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Comment 3•4 years ago
|
||
I think Paul is still looking at this, I don't have the bandwidth right now :)
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Comment 6•3 years ago
|
||
The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Comment on attachment 9187173 [details]
Bug 1642747 - Don't blur closing active tab early if screensharing. r=johannh
Beta/Release Uplift Approval Request
- User impact if declined: Users expects screen sharing to end immediately when they close a tab with active screen sharing. With this bug sites can briefly capture contents of the next tab before the screen sharing ends, potentially violating the users privacy.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: See STR from comment 0. Working test url is: https://jsfiddle.net/jib1/0sjrmkuh/show
The issue is intermittent, however I was able to reproduce it after a couple of tries on my Windows VM. - List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small patch and we only change behavior for closing active tabs with screen sharing. I've added a test to ensure we don't break tab closing for the screen sharing scenario.
Since the bug is quite intermittent we don't have test coverage for the bug itself. - String changes made/needed:
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9187173 [details]
Bug 1642747 - Don't blur closing active tab early if screensharing. r=johannh
approved for 85.0b5
|
|
||
Comment 9•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
Reproduced the initial issue using old Nightly from 2020-06-02, verified that his is no longer an issue using Firefox 85.0b5 and Latest Nightly from today across platforms (Windows 10, macOS 11 and Ubuntu 18.04). Keeping qe-verify+ flag until this will be fixed in ESR as well.
|
|
||
Comment 11•3 years ago
|
||
Is this worth uplifting to ESR78? Please nominate for approval if so; it grafts cleanly.
|
|
Assignee | |
Comment 12•3 years ago
|
||
Let's stick to 85 release for now and check back next cycle to ensure we don't regress. Leaving NI for that.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 13•3 years ago
|
||
|
|
||
Comment 14•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 15•3 years ago
|
||
Haven't spotted any regressions from this patch in 85, so uplifting to ESR is an option. However, looking at the uplift request form I can see that we usually only uplift sec-high and sec-crit. I don't see how this bug would be an exception to that.
Happy to discuss this further if you have concerns.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
| Comment hidden (spam) |
Description
•