1646294 - Reader Mode - context menu options displayed and not triggering actions for buttons in the reader mode menu / popup

Status: NEW

(Firefox :: Menus, defect, P5)

Description

[Cristian Fogel, QA [:cfogel]]

Attachment: Screen Recording 0002-06-17 at 11.05.54.mov

Affected versions

• 77.0.1, 78.0b7, 79.0a1;

Affected platforms

• Windows 10, macOS 10.15.5, Ubuntu 18.04;

Steps to reproduce

1. Launch Firefox and access https://en.wikipedia.org/wiki/Firefox
2. Click to enable Reader Mode;
3. Right Click on the Reader menu;
4. Click on the View Background Image option;

Expected result
There are 2 options here:

1. context menu should not open
2. The View Background Image option and others not page-related are disabled;

Actual result

• nothing happens;

Regression range

• not a regression,

Additional notes

• attached recording with the issue.

Comment 1

[:Gijs (he/him)]

The console shows:

Security Error: Content at about:reader?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FFirefox may not load or link to chrome://global/skin/reader/RM-Type-Controls-24x24.svg.

Christoph, the images load fine, do you know why the manual check in the context menu code fails here?

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

I did some digging and the current behavior is due to this Bug 1465160, and in particular to the added urlSecurityCheck using this.principal which should prevent potential XSS using javascript: URIs.

FWIW, here is the full stack:

urlSecurityCheck resource://gre/modules/BrowserUtils.jsm:152
urlSecurityCheck chrome://global/content/contentAreaUtils.js:35
viewBGImage chrome://browser/content/nsContextMenu.js:1338
oncommand chrome://browser/content/browser.xhtml:1

I am not entirely sure but from what I can tell it uses the flag 'DISALLOW_SCRIPT' and viewBGImage can only be user initiated, right? In which case I think we could update to using the systemPrincipal which should make that work correctly.