Website allowed to set custom right-click context menu items without permission
Categories
(Firefox :: Menus, defect)
Tracking
()
People
(Reporter: eirik, Unassigned)
References
Details
Attachments
(1 file)
82.54 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Steps to reproduce:
Right-click on any post in the catalog view on any 4channel-board to see custom context-menu items (pin/unpin, hide/unhide, report). Tested on https://boards.4channel.org/v/catalog and https://boards.4channel.org/tv/catalog. Also see attached screenshot.
I have never given this website permission to use the browser.menu
API (as described here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/menus). I also cannot find any settings or options to disable this API or revoke any permissions if mistakenly given.
If this is intended behavior I strongly suggest you prevent websites from doing this without explicit permission.
Comment 1•4 years ago
•
|
||
Reproduced on the latest versions of Firefox Nightly 85.0a1 (2020-12-03) , beta 84.0b7 and release 83.0 on Windows 10, MacOS and Ubuntu 18.04.
Setting a component for this issue in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.
Comment 2•4 years ago
|
||
Hi eirik,
The site in question is not using the menus WebExtension API. They're using <menu>
DOM elements with type context
. See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/menu.
There is an effort to eventually remove support for <menu>
and <menuitem>
here: https://bugzilla.mozilla.org/show_bug.cgi?id=1372276, as it never really standardized, but it doesn't have high priority.
Description
•