Open Bug 1666131 Opened 4 years ago Updated 1 year ago

Firefox: Consider disabling the ability for pages to automatically trigger the standard Color Picker

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Version:
80 Branch
Type:
enhancement

Tracking

()

People

(Reporter: elliottabarnes, Unassigned)

References

(Blocks 2 open bugs)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

Whilst performing some recent security testing, I noticed that Firefox appears to allow sites to automatically run the <input type="color"> HTML tag on a web page - without the user needing to interact with an element to trigger this function. IN my case, this resulted in the loaded web page presenting the standard Windows Color dialog - when dismissed, as soon as I attempted to move the cursor on this particular web page it was once again automatically presented. Whilst I was unable to identify any security implications of this, this has the ability to cause confusion for users - especially if they're not able to easily close the page due to this presenting itself each time that the cursor is moved on the page.

Expected results:

We could consider only allowing this picker to be triggered when a user interacts with an element on a web page.

Setting a component for this enhancement in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.

Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core

This could have been better handled if we implemented it as a custom non-modal dialog. Anne, do you think the spec should require an activation check here?

Flags: needinfo?(annevk)
No longer blocks: 1445061
Depends on: 1445061

I can make it appear with click() in Chrome too, though it uses a non-modal dialog rather than a popup window. I suspect that requiring user interaction would break certain websites at this point.

Blocks: eviltraps
Flags: needinfo?(annevk)

IIRC we changed the behavior because some sites were relying on Chrome's behavior
(but would need to check the blame to ensure that.)

Severity: -- → S3

In bug 1670795 somebody seems to have stumbled upon a real world evil page using this vector.

Blocks: 1445061
No longer depends on: 1445061
You need to log in before you can comment on or make changes to this bug.