Closed Bug 1749835 Opened 2 years ago Closed 1 month ago

Tabs without title or favicon are not visible to the user unless hovering the tabstrip

Categories

(Firefox :: Tabbed Browser, defect)

Product:
Firefox
Component:
Tabbed Browser
Version:
Firefox 96
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox127 --- verified

People

(Reporter: jlennox+bugzilla, Assigned: jfkthame)

Details

Attachments

(2 files)

mozilla-invisible-tabs.png
178.52 KB, image/png
Details
Bug 1749835 - If document title doesn't contain any printable characters, don't use it as the tab label. r=dao
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0

Steps to reproduce:

Firefox depends on favicons and titles to give open tabs visual contrast. These being under control of a website means they have the ability to create contrast-less tabs which are "invisible" to the user.

This very basic JSFiddle demonstrates it. It does depend on the number of tabs opened vs the width of the window, because at some point firefox stops rending the "close" button.

https://jsfiddle.net/pcgmwy25/

Popups must be accepted for this specific example to work, but an attack would not specifically require such a thing, as they could be links that open in a new tab with these features, and the user "does this to themselves."

Actual results:

The website is able to open tabs that the user can not see. This permits the website to continue to run scripts or perform other behavior in the background without the user's knowledge.

The attached screen shot demonstrates the issue pretty clearly. One visible change is the movement of the new tab "+" button.

Expected results:

The tabs should have visual contrast independent of site controlled input.

Group: firefox-core-security

The Bugbug bot thinks this bug should belong to the 'Firefox::Tabbed Browser' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Tabbed Browser
Keywords: dupeme
Summary: Invisible browser tabs → Tabs without title or favicon are not visible to the user unless hovering the tabstrip

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0

Hi,

I am able to reproduce the issue in release 96, beta 97 and the latest nightly 98.0a1 (2022-01-18) using Windows 10.

Thanks for your input.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox96: --- → affected
status-firefox97: --- → affected
status-firefox98: --- → affected
Ever confirmed: true

The above patch is an idea for how we could largely mitigate this, although there are still a few possible ways to create a "blank" tab title if someone really wants to.

Assignee: nobody → jfkthame
Attachment #9397107 - Attachment description: Bug 1749835 - If document title doesn't contain any printable characters, don't use it as the tab label. → Bug 1749835 - If document title doesn't contain any printable characters, don't use it as the tab label. r=dao
Status: NEW → ASSIGNED
Pushed by dgottwald@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7c437aab7fc2
If document title doesn't contain any printable characters, don't use it as the tab label. r=tabbrowser-reviewers,dao

https://hg.mozilla.org/mozilla-central/rev/7c437aab7fc2

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox127: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Flags: qe-verify+

Reproduced the issue on Firefox 98.0a1 on macOS 14.5 by following the infos provided in Comment 0.

The issue is fixed on Firefox 127.0b2. Tests were performed on macOS 14.5, Windows 11 and Ubuntu 24.04.

Status: RESOLVED → VERIFIED
status-firefox127: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: