I'm able to render HTML content on top of Firefox's address bar and tab bar
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
People
(Reporter: colin, Assigned: kvark)
References
(Regression, )
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main88+])
Attachments
(3 files, 1 obsolete file)
I was fiddling around with 3D CSS (e.g. turning on perspective, rendering cubes using CSS) and using JS to abuse this (too many divs) when I discovered that certain cubes in a 10x10x10 block of cubes were appearing above the FireFox webpage viewport.
At first I just thought it was amusing, but I then realised it is an actual security concern as the content can be arbitrary, and could e.g. replace the address bar's default content for someone better at HTML than I.
I have created a simple HTML page (including CSS) which reproduces the issue in current Firefox (87.0 64-bit running on MacOS X High Sierra), and demonstrates that it could be used to render 2D flat content appearing over the 2D flat content of Firefox's own UI. In my test case it simply shows a red square with "Hi" written in it.
Comment 1•4 years ago
|
||
Nice, thanks for filing! Jim, can you take a look at this, please?
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
This testcase doesn't work on ESR-78: the content is distorted and trapped at the top of the browser window
I can reproduce this on Release 87.0 and Nightly 89 (on mac). On Release gfx.webrender.enabled
is false
, but if I set gfx.webrender.force-disabled
to true
then the testcase is rendered harmless like ESR (so I guess some of webrender is on even when it's not enabled? Or is that just a dead pref now?).
Webrender is not respecting the content boundaries.
Comment 4•4 years ago
|
||
Looks like we're not clipping something when we should be. I'm not surprised that 3d transforms are involved.
Glenn, can you take a look?
Comment 5•4 years ago
|
||
Here's a reduced test case that doesn't show the drawing over chrome problem but does show different behaviour vs Safari and Chrome. Also notable is that changing the rotateX(1deg)
to rotateX(0deg)` causes more correct rendering.
Comment 6•4 years ago
|
||
The reduced test case also renders correctly with WebRender turned off.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 7•4 years ago
|
||
mozregression output:
6:15.38 INFO: No more integration revisions, bisection finished.
6:15.38 INFO: Last good revision: 6b89ff1b983e3f136ada5248ed47e8632bf1df1c
6:15.38 INFO: First bad revision: 3013857e53518e740937da32d92d7d68cc926a05
6:15.38 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6b89ff1b983e3f136ada5248ed47e8632bf1df1c&tochange=3013857e53518e740937da32d92d7d68cc926a05
So it started occurring as part of https://phabricator.services.mozilla.com/D92135.
It should still be getting clipped to the content frame, some possibilities are:
- The change to the flattening of the transform matrix breaks something in the clip mask generation or sampling.
- The clipping was always broken and the patch in question just changes whether it was considered backface-visible or not.
Dzmitry, would you be able to take a look at this?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
|
||
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Comment on attachment 9212910 [details]
Roll back flattening Z to only affect the output
Revision D110463 was moved to bug 1702331. Setting attachment 9212910 [details] to obsolete.
Assignee | ||
Comment 10•4 years ago
|
||
Updated•4 years ago
|
Comment 11•4 years ago
|
||
uplift |
The fix from bug 1702331 was uplifted for 88.06 also.
https://hg.mozilla.org/releases/mozilla-beta/rev/7fc5dfd23a358233a58e0c78118fb3039a278950
Updated•4 years ago
|
Updated•4 years ago
|
Comment 12•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 14•4 years ago
|
||
Updated•4 years ago
|
Updated•3 years ago
|
Updated•6 months ago
|
Description
•