Moving Permission Panel with Click Still Registered in Default Position on GTK
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox91 | --- | fixed |
People
(Reporter: sourc7, Assigned: stransky)
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [clickjacking our UX][reporter-external] [client-bounty-form] [verif?][adv-main91+])
Attachments
(6 files)
After request multiple permission at the same time, then after first interaction to the permission panel, the second permission panel will moving to another position with click button still registered on default position, which lead user unintentionally click "Allow" on the permission button.
I noticed it currently affects Linux distributions that use KDE as the desktop environment:
- Kubuntu
- openSUSE
- KDE Neon
- Fedora KDE
- Manjaro KDE
When using mozregression the permission panel is moving out after checkout to commit Notification anchors are not hidden when the user types in the location bar.
Tested on:
- Arch Linux with KDE as default Desktop Environment
- Kubuntu 21.04 on VM
Steps to reproduce:
- Open Firefox on KDE (desktop environment)
- Visit attached moving-permission-panel.html
- When first permission dialog appear then press 'esc'
- The second permission dialog will appear on another position with click still registered on original doorhanger position
- Click on "Click to Continue" button
- Microphone or geolocation permission is now allowed
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
Not seeing an issue on MacOS. Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.
Weirdly these look like pure "Firefox-styled" panels, they aren't OS widgets so why would the OS change the behavior?
gcp: do you know who works on platform widgets/drawing these days?
|
|
||
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
Oof, this is tricky. Most of out Linux platform widget work is done by Red Hat these days. But they ship GNOME, not KDE, so not sure how reasonable it is to ask them.
Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.
Oh, okay, if we have STR on GNOME then stransky might be able to investigate.
|
Assignee | |
Comment 5•3 years ago
|
||
Yes, I can reproduce it on Gnome too but in X11 mode only. I expect we use wrong popup parent / anchor so relative popup coordinates are wrong.
|
|
Assignee | |
Comment 6•3 years ago
|
||
This is a good old bug when gtk widget is not positioned when it's hidden. Will post a patch for it.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 7•3 years ago
|
||
Gtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
I don't think this needs to be a security bug.
|
||
Comment 9•3 years ago
|
||
[Linux/X11] Reposition GtkWindow when it's shown, r=jhorak
https://hg.mozilla.org/integration/autoland/rev/1c3ed5c950ca0743b5c1d02efcda0f867e6cc4c4
https://hg.mozilla.org/mozilla-central/rev/1c3ed5c950ca
|
|
Reporter | |
Comment 10•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
Not seeing an issue on MacOS. Tyson sees a different positional weirdness on Gnome (only some of the time when he reloads) where the second permission panel shows up near the bottom of the screen rather than where it should.
It turns out I can also reproduce this on Ubuntu 20.04.2 LTS, the permissions panel moves to the bottom of the screen (as in the attached video) and it works every time after interacting with first permission request, and at some point the first permissions panel moves down automatically without any interaction to the panel.
|
|
Reporter | |
Comment 11•3 years ago
|
||
(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)
I don't think this needs to be a security bug.
In this case the
(In reply to Martin Stránský [:stransky] (ni? me) from comment #7)
Created attachment 9227852 [details]
Bug 1716129 [Linux/X11] Reposition GtkWindow when it's shown, r?jhorakGtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.
|
|
Reporter | |
Comment 12•3 years ago
|
||
(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)
I don't think this needs to be a security bug.
In this case the when permission panel is moving the click position still registered on default position, which leads malicious websites able to trick the user to click "Allow" on the permission panel without the user realizing that click HTML5 button will also click "Allow" on the permission panel (i.e allow camera, microphone, and geolocation) (as on attached video above).
(In reply to Martin Stránský [:stransky] (ni? me) from comment #7)
Created attachment 9227852 [details]
Bug 1716129 [Linux/X11] Reposition GtkWindow when it's shown, r?jhorakGtk on X11 tends to ignore widget position change requests when widget is not shown. Save the position requests when window is hidden and
apply that when it's shown.
Thank you for the patch, I confirmed it fixed the issue on Arch Linux with KDE and Ubuntu 20.04.2 LTS on Firefox Nightly 91.0a1 (2021-06-20) (64-bit).
|
|
Reporter | |
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 13•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•26 days ago
|
Description
•