Invoke Element.requestFullscreen then navigate to page on bfcache wouldn't show fullscreen security notification
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
People
(Reporter: sourc7, Assigned: edgar)
References
(Regression)
Details
(Keywords: csectype-spoof, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main94+][adv-esr91.3+])
Attachments
(6 files)
|
205 bytes,
text/html
|
Details | |
|
687.85 KB,
video/mp4
|
Details | |
|
461 bytes,
text/html
|
Details | |
|
1.06 MB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
|
302 bytes,
text/plain
|
Details |
After call element.requestFullScreen() then subsequently navigate to page in bfcache (e.g. using HTMLFormElement.submit(), location.href, or window.location.back(), and etc.) the browser goes into fullscreen without any fullscreen notification ("<domain> is now in fullscreen") as user unaware page displayed fullscreen it can leads to address bar UI spoofing.
I've tested this it works everytime I pressed the requestFullScreen button on the testcase using Windows 10 (on my laptop and VM). However on Linux (tested on KDE and GDM) it still require couple of button click to successfully turn browser into fullscreen.
When checking with mozregression I found the browser goes into fullscreen without security notification is after commit Bug 1669961 - Return null from .contentWindow when inner window is inactive. I observe before the commit Firefox will exit the fullscreen mode instead of goes into fullscreen.
Steps to reproduce:
- Visit attached fullscreen-spoof-form.html
- Click "requestFullScreen" button
- Browser goes into fullscreen without any fullscreen notification
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
|
Reporter | |
Comment 3•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 5•3 years ago
|
||
(In reply to Irvan Kurniawan (:sourc7) from comment #0)
I observe before the commit Firefox will exit the fullscreen mode instead of goes into fullscreen.
I think the original behaviour makes more sense as the tab is navigating away from the page that requests fullscreen.
I will take a look.
|
|
Assignee | |
Comment 6•3 years ago
•
|
||
Fullscreen used to have a way to detect if the page that requests fullscreen has navigated away during fullscreen process in https://searchfox.org/mozilla-central/rev/3fa5cc437a4937c621ea068ba5dc246f75831633/browser/actors/DOMFullscreenChild.jsm#29-36, but after bug 1669961, JSWindowActorChild.contentWindow returns null after navigation, so Fullscreen code bails out early in https://searchfox.org/mozilla-central/rev/3fa5cc437a4937c621ea068ba5dc246f75831633/browser/actors/DOMFullscreenChild.jsm#17.
|
|
Assignee | |
Comment 7•3 years ago
|
||
|
||
Comment 8•3 years ago
|
||
Changing severity to S2 because its a regression that might impact users in the wild.
|
|
Assignee | |
Comment 9•3 years ago
|
||
Comment on attachment 9244317 [details]
Bug 1730750 - Exit fullscreen when the inner window is no longer active;
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Might be easy to know there is some bugs on inactive inner window and fullscreen request, but it require specific timing and condition to tirgger the flaw.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Should be safe, the code only runs while the page has navigated away. There are existing fullscreen tests that help to ensure the fullscreen works on various cases.
|
||
Comment 10•3 years ago
|
||
Comment on attachment 9244317 [details]
Bug 1730750 - Exit fullscreen when the inner window is no longer active;
Approved to land and request uplift
|
||
Comment 11•3 years ago
|
||
Exit fullscreen when the inner window is no longer active; r=NeilDeakin
https://hg.mozilla.org/integration/autoland/rev/c63ee153751f243193d3dee1d119ca7382593495
https://hg.mozilla.org/mozilla-central/rev/c63ee153751f
|
||
Comment 12•3 years ago
|
||
Please request Beta and ESR91 approval on this.
|
||
Comment 13•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 15•3 years ago
|
||
Comment on attachment 9244317 [details]
Bug 1730750 - Exit fullscreen when the inner window is no longer active;
Beta/Release Uplift Approval Request
- User impact if declined: Invoking Element.requestFullscreen then navigating might not show fullscreen security notification, which could lead to address bar UI spoofing.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Follow the steps in comment 0 or comment 4.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change only affects the inner window that is no longer active.
- String changes made/needed: None
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is a sec-hight bug
- User impact if declined: Invoking Element.requestFullscreen then navigating might not show fullscreen security notification, which could lead to address bar UI spoofing.
- Fix Landed on Version: 95
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change only affects the inner window that is no longer active.
- String or UUID changes made by this patch: None
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 16•3 years ago
|
||
Comment on attachment 9244317 [details]
Bug 1730750 - Exit fullscreen when the inner window is no longer active;
Approved for 94.0b8 and 91.3esr.
|
|
||
Comment 17•3 years ago
|
||
| uplift | ||
|
|
||
Comment 18•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
||
Comment 19•3 years ago
|
||
Using old Nightly from 2021-10-07 and the testcase from comment 2 I did reproduce the issue. I verified that using latest build Nightly, Beta and ESR91 across platforms (Windows 10, macOS 11.6 and Ubuntu 18.04) this is no longer an issue, Firefox does not go into fullscreen.
One thing that I noticed is that using a MacBook Pro with Touchbar there is an option to Exit Fullscreen offered in the tab where it loads example.com and it's stuck there (does nothing). I know this is a testcase but I had to bring it up. This only happens with latest Nightly though.
Marking 94 and esr91 as verified, leaving the 95 as fixed for the moment, pending a reply from Edgar for the above ^^
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 20•3 years ago
|
||
(In reply to Bogdan Maris [:bogdan_maris], Release Desktop QA from comment #19)
One thing that I noticed is that using a MacBook Pro with Touchbar there is an option to Exit Fullscreen offered in the tab where it loads example.com and it's stuck there (does nothing). I know this is a testcase but I had to bring it up. This only happens with latest Nightly though.
Could you file a bug for this and cc me? Thanks!
|
|
||
Comment 21•3 years ago
|
||
(In reply to Edgar Chen [:edgar] from comment #20)
(In reply to Bogdan Maris [:bogdan_maris], Release Desktop QA from comment #19)
One thing that I noticed is that using a MacBook Pro with Touchbar there is an option to Exit Fullscreen offered in the tab where it loads example.com and it's stuck there (does nothing). I know this is a testcase but I had to bring it up. This only happens with latest Nightly though.
Could you file a bug for this and cc me? Thanks!
Logged bug 1737803 on this, apparently does reproduce with Fx91 as well so it's not limited to Nightly, I did make it a confidential issue by mistake (can't change it), I wanted to make it a security issue just to be sure.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 22•3 years ago
|
||
Marking this bug as verified fixed since the issue here is verified.
|
|
||
Comment 23•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•