Deceptive custom cursor and infinite JavaScript loop causes Browser Lock effect
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: yfsoph, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-dos, sec-low, Whiteboard: [post-critsmash-triage][adv-main79+][adv-ESR78.1+])
Attachments
(5 files)
cursor.png
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
Steps to reproduce:
- Host index.html and cursor.png in the same directory
- Navigate to index.html
- Move mouse around until custom cursor is loaded
- Move mouse over "hover here" until the text turns to "ok"
- Try to click Back/Close Tab buttons
- Try to click "Stop It" when the "A web page is slowing down..." doorhanger notification pops up
Actual results:
Browser Lock effect: buttons are seemingly not clickable, website is not easy to get away from
Expected results:
Custom cursor should not be active near browser Back/Close Tab buttons, or the "A web page is slowing down..." notification
If JavaScript code runs in an infinite loop while a deceptive custom cursor is active in a web page, the mitigations applied in bug 1445844 are rendered ineffective and a Browser Lock effect happens, in a similar fashion to this same bug.
Mitigation code from bug 1445844 (e.g. function ShouldBlockCustomCursor) is meant to be triggered inside the content process as a result of mouse events, that are not being handled when JavaScript is busy executing an infinite loop.
The process hang monitor notification is also under the deceptive custom cursor effect and thus the force stopping of the infinite loop execution is prevented. This part is possibly related to bug 1538402
Note: It's possible to break out of the Browser Lock effect when the mouse moves out of the browser's window. Therefore it's most effective when browser is in full screen.
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 5•4 years ago
|
||
Hmm, right, so the issue is that we're doing the "is cursor in bounds" check in the child process (which is needed if you want our current fallback behavior).
But the child process is too busy to process the mouse moves doing nothing... Chrome's implementation has the same issue looks like.
I guess we could move the check to the parent process, and only fall back to the next built-in cursor rather than to the next image cursor. Or something like that?
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/c06ea431e99890725f62f05487c8736eac6937d2
https://hg.mozilla.org/mozilla-central/rev/c06ea431e998
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
Please nominate this for ESR78 approval when you get a chance.
|
|
Assignee | |
Comment 9•4 years ago
|
||
Comment on attachment 9159372 [details]
Bug 1648333 - Make sure there's no custom cursor when popping up the slow script dialog. r=Gijs
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Easy sec-low.
- User impact if declined: comment 0
- Fix Landed on Version: 79
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): One liner that ensures we get a non-custom cursor when the slow script dialog pops up.
- String or UUID changes made by this patch: none
|
||
Comment 10•4 years ago
•
|
||
Reproduced the issue using Firefox 79.0a1 (20200624215010) on Windows 10x64 and steps from comment 0.
No custom cursor is shown when the slow script dialog is displayed using Firefox 79.0b2 (20200630191632) on Windows 10x64, macOS 10.12, and Ubuntu 18.04.
|
|
||
Comment 11•4 years ago
|
||
Comment on attachment 9159372 [details]
Bug 1648333 - Make sure there's no custom cursor when popping up the slow script dialog. r=Gijs
Approved for 78.1esr.
|
|
||
Comment 12•4 years ago
|
||
| uplift | ||
|
||
Comment 13•4 years ago
|
||
Verified with the task cluster builds for ESR as well.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 14•4 years ago
|
||
|
|
||
Comment 15•4 years ago
|
||
Thank you for reporting this issue!
Please see the attached advisory and let us know asap, if you wanted to be credited differently.
|
|
||
Updated•4 years ago
|
|
Reporter | |
Comment 16•4 years ago
|
||
(In reply to Frederik Braun [:freddy] from comment #15)
Thank you for reporting this issue!
Please see the attached advisory and let us know asap, if you wanted to be credited differently.
Thanks! Please credit "SophosLabs Offensive Security team"
|
|
Assignee | |
Comment 17•4 years ago
|
||
Freddy, can you update the advisory to also mention the "infinite Javascript loop" / "content process hang" bit? It is a requirement, because otherwise we already prevent the cursor from overflowing the viewport if it's too large, see bug 1445844.
|
|
||
Updated•3 years ago
|
Description
•