Window.print allow focus stealing can be abused to overlap fullscreen security notification
Categories
(Toolkit :: Printing, defect)
Tracking
()
People
(Reporter: sourc7, Assigned: emilio)
Details
(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+])
Attachments
(6 files)
831 bytes,
text/html
|
Details | |
230.89 KB,
video/mp4
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
877 bytes,
text/html
|
Details | |
360.42 KB,
video/mp4
|
Details | |
272 bytes,
text/plain
|
Details |
After create new child window with window.open
then invoke requestFullScreen
repeatedly on parent window and window.print()
on child window simultaneously, the parent window will turn into full screen, then interestingly child window will be focused and overlapping the fullscreen notification.
Tested on:
- Firefox Nightly 106.0a1 (2022-09-14) (64-bit) on Windows 11
- Firefox Nightly 106.0a1 (2022-09-14) (64-bit) on Arch Linux
- Firefox 104.0.2 (64-bit) on Windows 11
- Firefox ESR 91.13.0esr (64-bit) on Windows 11
Steps to reproduce:
- Visit attached testcase.html
- Click "New Window" button
- Click "Spoof" button on parent window
- Fullscreen notification will be overlapped with child window
(There is a race possibility that caused window.print on child window to appear late, if that happens please try again)
Reporter | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 2•2 years ago
|
||
Marking S2, since when circumstances are as in the video, this can completely defeat the fullscreen transition warning and cause UI spoofing.
I couldn't repro on Ubuntu on Wayland with 1440 px high screen, though: the print preview window opened lower on the screen relative to the fullscreen warning. One way to fix this would be ensuring that the print preview window always opens at lower coordinates than the fullscreen warning, since that wouldn't require any cross-process checks of what's actually going on. That might not be the optimal UI on less tall screens, though.
needinfoing Edgar for the fullscreen connection and Emilio for the print preview connection.
Comment 3•2 years ago
|
||
I am not sure if it is expected that print()
called on a inactive window would make the window focused. If so, then making the window that lose the focus exiting the fullscreen might be the thing we should do, so we behave the same as the case that a window.open
which will open a new foreground window, in that case we exit the fullscreen, too.
Assignee | ||
Comment 4•2 years ago
|
||
There are two window.focus() calls from privileged code that are relevant here. With a patch like this the attack doesn't work:
diff --git a/toolkit/components/printing/content/print.js b/toolkit/components/printing/content/print.js
index 050fd6d37a906..5b9201ca94946 100644
--- a/toolkit/components/printing/content/print.js
+++ b/toolkit/components/printing/content/print.js
@@ -355,7 +355,7 @@ var PrintEventHandler = {
await new Promise(resolve => window.requestAnimationFrame(resolve));
// Now that we're showing the form, select the destination select.
- window.focus();
+ // window.focus();
let fm = Services.focus;
fm.setFocus(document.getElementById("printer-picker"), fm.FLAG_SHOWRING);
diff --git a/toolkit/modules/SubDialog.jsm b/toolkit/modules/SubDialog.jsm
index 652477df40f05..11632a14f003f 100644
--- a/toolkit/modules/SubDialog.jsm
+++ b/toolkit/modules/SubDialog.jsm
@@ -879,7 +879,7 @@ SubDialog.prototype = {
if (!focusedElement) {
// Ensure the focus is pulled out of the content document even if there's
// nothing focusable in the dialog.
- this._frame.contentWindow.focus();
+ // this._frame.contentWindow.focus();
}
},
At a glance, both those things don't really want to raise the window, just to move focus inside a given window. Henri, do you know if there's a nice way of doing that from front-end code? Off-hand I don't see any API that could work for that (but it is probably not too terrible to add it?).
Assignee | ||
Comment 6•2 years ago
|
||
Updated•2 years ago
|
Reporter | ||
Comment 7•2 years ago
|
||
Alright I found that the window.print()
focused window can be closed automatically by delaying navigation to the window.close()
page, which similar to bug 1735071 the focused window closed automatically.
Reporter | ||
Comment 8•2 years ago
|
||
Assignee | ||
Comment 9•2 years ago
|
||
Clearing ni? to Henri because it was trivial after all. Can I get a sec-rating (and approval if needed)?
Assignee | ||
Comment 10•2 years ago
|
||
Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The fix hints at what the problem might be a little bit.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should backport cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: unlikely, fairly simple fix.
- Is Android affected?: No
Comment 11•2 years ago
|
||
Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
Approved to land and uplift after beta branches
![]() |
||
Comment 12•2 years ago
|
||
Don't raise the window for tab-modal SubDialogs and in print. r=Gijs
https://hg.mozilla.org/integration/autoland/rev/d5801e96e111e27cc99a2594f6e4163cb79ad836
https://hg.mozilla.org/mozilla-central/rev/d5801e96e111
Comment 13•2 years ago
|
||
Please nominate this for Beta and ESR102 approval when you get a chance.
Assignee | ||
Comment 14•2 years ago
|
||
Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
Beta/Release Uplift Approval Request
- User impact if declined: comment 0
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: comment 0
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Relatively simple fix.
- String changes made/needed: none
- Is Android affected?: No
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: comment 0
- Fix Landed on Version: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Relatively simple / low-risk fix.
Assignee | ||
Updated•2 years ago
|
Comment 15•2 years ago
|
||
Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
Approved for 107.0b4.
Comment 16•2 years ago
|
||
uplift |
Updated•2 years ago
|
Comment 17•2 years ago
|
||
I have reproduced this bug on macOS 11, using an affected Nightly build, 106.0a1 (20220914213649).
The issue is verified as fixed on Beta 107.0b4 and latest Nightly 108.0a1, across platforms: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.
Comment 18•2 years ago
|
||
Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
Approved for 102.5esr.
Comment 19•2 years ago
|
||
uplift |
Comment 20•2 years ago
|
||
This is also verified as fixed on 102.5.0esr (20221024131106), using Win 10 x64, macOS 11 and Ubuntu 18.04 x64.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 21•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•8 months ago
|
Description
•