Re-run window.open with same windowName allow focus stealing can be used to overlap fullscreen notification toast
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
People
(Reporter: sourc7, Assigned: emilio)
References
(Regression)
Details
(Keywords: csectype-spoof, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+])
Attachments
(5 files)
1.09 KB,
text/html
|
Details | |
127.06 KB,
video/mp4
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
272 bytes,
text/plain
|
Details |
After launch child popup window with window.open
then re-run window.open
with same windowName
the child window able to repeatedly gain focus without requiring user click activation. With that method I found the child window popup able to overlap another popup fullscreen notification toast.
When run this on mozregression it point to this pushlog:
17:09.62 INFO: Last good revision: 566f81bfa373512b41c1a47962e21a06078d7bf8 (2021-02-08)
17:09.62 INFO: First bad revision: 89c5f958a3ac4795109acf1f9dff1c8026bb82fe (2021-02-09)
17:09.62 INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=566f81bfa373512b41c1a47962e21a06078d7bf8&tochange=89c5f958a3ac4795109acf1f9dff1c8026bb82fe
One of the pushlog that has window.open
keyword is Take focus from window.open etc even if we're already active but not in the active window. On nsDocShell.cpp
I've revert the shouldTakeFocus
code to the old one, when re-run the window.open
the child window wouldn't able to gain focus.
Tested on:
- Firefox 105.0.2 (64-bit) on Arch Linux (KDE X11)
- Firefox 105.0.2 (64-bit) on Arch Linux (KDE Wayland)
- Firefox 105.0.2 (64-bit) on Ubuntu 22.04.1 LTS (Wayland)
- Firefox Nightly 107.0a1 (2022-10-05) (64-bit) on Arch Linux (KDE X11)
- Firefox Nightly 107.0a1 (2022-10-05) (64-bit) on Arch Linux (KDE Wayland)
Steps to reproduce:
- Visit attached testcase.bundle.html on Linux OS
- Click "Launch stealFocusWindow"
- Click "Launch requestFullscreenWindow"
- Click "requestFullscreen" on child popup window
- Fullscreen notification toast will be overlapped with child window
Reporter | ||
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Emilio: this looks like a regression from bug 1691214; could you take a look?
On a quick try I couldn't reproduce on Mac, but I didn't dig into whether I have any settings that might be interfering.
Updated•2 years ago
|
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1691214
Assignee | ||
Comment 4•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Security Approval Request
- How easily could an exploit be constructed based on the patch?: somewhat? The fix is kind of obvious.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: Bug 1691214
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should graft cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: not likely. Again, the fix is obvious-ish.
- Is Android affected?: No
Assignee | ||
Comment 6•2 years ago
|
||
ni? to write a test when I have some time.
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
|
||
Assignee | ||
Updated•2 years ago
|
Comment 8•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Approved to land and uplift after beta branches
Updated•2 years ago
|
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Don't steal focus for navigations without user activation. r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/71625a0f7411d2ec0f199f8c9b621713059be6bf
https://hg.mozilla.org/mozilla-central/rev/71625a0f7411
Updated•2 years ago
|
Comment 10•2 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox107
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 11•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Beta/Release Uplift Approval Request
- User impact if declined: comment 0
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: comment 0
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Rather simple tweak.
- String changes made/needed: none
- Is Android affected?: No
Assignee | ||
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Approved for 107.0b3.
Comment 13•2 years ago
|
||
uplift |
Updated•2 years ago
|
Comment 14•2 years ago
|
||
Verified as fixed in our latest Nightly Build as well as Beta 107.0b3.
Comment 15•2 years ago
|
||
:emilio this grafts cleanly to esr102, if you could submit an ESR uplift request when ready
Assignee | ||
Comment 16•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Beta/Release Uplift Approval Request
- User impact if declined: Comment 0
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: comment 0
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Relatively trivial fix to avoid stealing focus in some cases without a user interaction.
- String changes made/needed: none
- Is Android affected?: No
Updated•2 years ago
|
Comment 17•2 years ago
|
||
Comment on attachment 9297417 [details]
Bug 1793829 - Don't steal focus for navigations without user activation. r=hsivonen
Approved for 102.5esr.
Comment 18•2 years ago
|
||
uplift |
Comment 19•2 years ago
|
||
Verified as fixed in our latest Esr 102.5.
Updated•2 years ago
|
Comment 20•2 years ago
|
||
Updated•2 years ago
|
Updated•1 year ago
|
Comment 21•1 year ago
|
||
3 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-01-01]
.
emilio, please refer to the original comment to better understand the reason for the reminder.
Assignee | ||
Comment 22•1 year ago
|
||
Guess I can land the test now?
Comment 24•1 year ago
|
||
Add a test. r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/6dccc823484fe867a8026470fb3891a99c83af0f
https://hg.mozilla.org/mozilla-central/rev/6dccc823484f
Updated•10 months ago
|
Description
•