Closed Bug 1679155 Opened 4 years ago Closed 4 years ago

Website allowed to set custom right-click context menu items without permission

Categories

(Firefox :: Menus, defect)

Firefox 83
defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox83 --- affected
firefox84 --- affected
firefox85 --- affected

People

(Reporter: eirik, Unassigned)

References

Details

Attachments

(1 file)

Attached image 4chan-context-menu.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

Right-click on any post in the catalog view on any 4channel-board to see custom context-menu items (pin/unpin, hide/unhide, report). Tested on https://boards.4channel.org/v/catalog and https://boards.4channel.org/tv/catalog. Also see attached screenshot.

I have never given this website permission to use the browser.menu API (as described here: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/menus). I also cannot find any settings or options to disable this API or revoke any permissions if mistakenly given.

If this is intended behavior I strongly suggest you prevent websites from doing this without explicit permission.

Reproduced on the latest versions of Firefox Nightly 85.0a1 (2020-12-03) , beta 84.0b7 and release 83.0 on Windows 10, MacOS and Ubuntu 18.04.

Setting a component for this issue in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.

Status: UNCONFIRMED → NEW
Component: Untriaged → Menus
Ever confirmed: true

Hi eirik,

The site in question is not using the menus WebExtension API. They're using <menu> DOM elements with type context. See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/menu.

There is an effort to eventually remove support for <menu> and <menuitem> here: https://bugzilla.mozilla.org/show_bug.cgi?id=1372276, as it never really standardized, but it doesn't have high priority.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
See Also: → 1372276
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: