Browser window is locked in fullscreen mode using window.resizeBy() or resizeTo()
Categories
(Core :: DOM: Core & HTML, task)
Tracking
()
People
(Reporter: sourc7, Assigned: edgar)
References
Details
(Keywords: csectype-dos, csectype-spoof, sec-high, Whiteboard: [reporter-external] [client-bounty-form][adv-main96+][adv-ESR91.5+][sec-survey])
Attachments
(5 files)
|
684 bytes,
text/html
|
Details | |
|
265.20 KB,
video/mp4
|
Details | |
|
539 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
|
176 bytes,
text/plain
|
Details |
After invoke requestFullScreen in the popup window then move the popup window using moveBy or moveTo the browser goes into full screen with hidden fullscreen notification and moreover fullscreen mode won't exit even repeatedly press "esc" multiple times.
Tested on:
- Firefox Nightly 96.0a1 (2021-11-09) on Windows 11
- Firefox Release 94.0.1 on Windows 10 and Windows 11
Steps to reproduce:
- Visit attached launcher-fullscreen.bundle.html
- Click "Launch" button
- Tap anywhere on the popup page
- Browser goes into fullscreen with hidden fullscreen notification
- Press "esc" multiple times to try exit the fullscreen mode
- Browser still persist in fullscreen mode
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 2•3 years ago
|
||
Oh sorry typo, it should be resizeBy or resizeTo as on attached testcase.
|
||
Comment 3•3 years ago
|
||
Seems to not work on macOS or linux, fwiw. Confirmed by Tyson on Windows.
It is possible to "get out" by Alt-tab to the original non-popup browser window, but the fullscreen persists if you switch back to the popup.
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 4•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
Seems to not work on macOS or linux, fwiw. Confirmed by Tyson on Windows.
Thanks Dan for the update, it turns out after removing document.write from the launcher-fullscreen.bundle.html, then testing this on Arch Linux and Ubuntu the fullscreen notification will also hidden, but press "esc" will exit the fullscreen mode.
It is possible to "get out" by Alt-tab to the original non-popup browser window, but the fullscreen persists if you switch back to the popup.
Yes, it only block the "esc" key which related to fullscreen code, other keyboard shortcut e.g. "ctrl+w" still works.
|
||
Comment 5•3 years ago
|
||
Edgar said he is investigating.
|
Assignee | |
Comment 6•3 years ago
|
||
(In reply to Irvan Kurniawan (:sourc7) from comment #4)
It is possible to "get out" by Alt-tab to the original non-popup browser window, but the fullscreen persists if you switch back to the popup.
Yes, it only block the "esc" key which related to fullscreen code, other keyboard shortcut e.g. "ctrl+w" still works.
This is a windows only bug, after calling window.resizeBy(), it seems window widget lose tracking of fullscreen state, so we early return in https://searchfox.org/mozilla-central/rev/702199bca53babc925e47fd8f86ed56487d42492/widget/windows/nsWindow.cpp#3655 when we tries to exit fullscreen trigger from "esc" key.
|
|
Assignee | |
Comment 7•3 years ago
|
||
(In reply to Irvan Kurniawan (:sourc7) from comment #4)
(In reply to Daniel Veditz [:dveditz] from comment #3)
Seems to not work on macOS or linux, fwiw. Confirmed by Tyson on Windows.
Thanks Dan for the update, it turns out after removing
document.writefrom the launcher-fullscreen.bundle.html, then testing this on Arch Linux and Ubuntu the fullscreen notification will also hidden, but press "esc" will exit the fullscreen mode.
This is another bug I think, it seems the warning is offset outside the viewport due to the window resize.
Chrome and safari exits fullscreen after window resize call, I think we should also follow them which is also good for compatibility.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
(In reply to Edgar Chen [:edgar] from comment #7)
This is another bug I think, it seems the warning is offset outside the viewport due to the window resize.
Chrome and safari exits fullscreen after window resize call, I think we should also follow them which is also good for compatibility.
Split this out to bug 1742421.
|
|
Assignee | |
Comment 9•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 10•3 years ago
|
||
Comment on attachment 9252103 [details]
Bug 1740389;
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Probably not so hard, patch shows the issue is something with size mode and fullscreen exit, but someone would need to find a way to change the size mode.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: None.
- How likely is this patch to cause regressions; how much testing does it need?: My sense is it's unlikely. The patch is reasonable and only affect the exit fullscreen call. The existing fullscreen automatic test + the test case attached in the bug might be enough.
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9252103 [details]
Bug 1740389;
Approved to land and uplift
|
||
Comment 12•3 years ago
|
||
r=handyman
https://hg.mozilla.org/integration/autoland/rev/619831fc630d5d87058951cf21f9726970d26951
https://hg.mozilla.org/mozilla-central/rev/619831fc630d
|
||
Comment 13•3 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
||
Updated•3 years ago
|
|
||
Comment 14•3 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/4aa7b33c8c0e
Approved for 96.0b4
|
|
||
Comment 15•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 16•3 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #13)
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Done.
|
||
Comment 17•3 years ago
|
||
Reproduced the bug with STR from comment 0, on an affected Nightly build 95.0a1 (20211022213234).
The issue is verified as fixed on the latest builds: Nightly 97.0a1, Beta 96.0b4 and 91.5.0esr. Tested with Win 10 x64.
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•