Css Draw Mouse Cursor to hide omni box
Categories
(Core :: DOM: CSS Object Model, defect)
Tracking
()
People
(Reporter: sas.kunz, Assigned: emilio)
References
Details
(Keywords: csectype-spoof, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+])
Attachments
(8 files)
155 bytes,
text/html
|
Details | |
3.14 MB,
video/mp4
|
Details | |
1.20 KB,
text/html
|
Details | |
157 bytes,
text/html
|
Details | |
782 bytes,
image/png
|
Details | |
606 bytes,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr102+
|
Details | Review |
257 bytes,
text/plain
|
Details |
when the mouse drawing cursor at 128x128 is not inside the iframe, the cursor cannot exit the web content area. but when inside an iframe , it should be able to bust out of the web content area and can hide omnibox. maybe it could be more useful to an attacker if the cursor image was a spoofed URL
- open abusive.html
- move cursor to hide omnibox
i attached the POC video and html file
Comment 2•2 years ago
|
||
The test case doesn't do anything for me on OSX. It also appears to refer to a file hosted elsewhere. Does it reproduce for you? Can you please attach the full contents of the test case? Thanks.
This looks like it might be related to CSS, so I'll move it there.
i reproduce on windows 10 , firefox 106.0 (64-bit).
download cursor.html, index.html, 128x128.png, 32x32.png. save all in same folder and then open index.html
(In reply to Andrew McCreight [:mccr8] from comment #2)
The test case doesn't do anything for me on OSX. It also appears to refer to a file hosted elsewhere. Does it reproduce for you? Can you please attach the full contents of the test case? Thanks.
This looks like it might be related to CSS, so I'll move it there.
yes, its refer to : https://cr.kungfoo.net/style/cursor/abusive-cursor.html, the poc url is in iframe.
here is the code:
<html>
<head></head>
<body>
<iframe src="https://cr.kungfoo.net/style/cursor/abusive-cursor.html" style="width:1200px;height:1000px;position:absolute;top:-100px;left:-100px;">
</iframe>.
</body>
</html>
Comment 9•2 years ago
|
||
This bug keeps coming back, as people have different configs :-(
I can reproduce using the original attached testcase on a Mac (Big Sur 11.7). Andrew couldn't on Monterey (12.6), although he wasn't seeing any custom cursors at all. Last time it was more about OS zoom settings.
Assignee | ||
Comment 10•2 years ago
|
||
This should reproduce everywhere. It's because this looks at the in-process root viewport... Basically, it's this line of code or so what needs to change to check the top-level viewport.
Assignee | ||
Comment 11•2 years ago
|
||
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Fix cursor intersection detection on OOP iframes. r=smaug
https://hg.mozilla.org/integration/autoland/rev/493fa5767494e968e3bdbc90748e48765565089f
https://hg.mozilla.org/mozilla-central/rev/493fa5767494
Updated•2 years ago
|
Comment 13•2 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox107
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 14•2 years ago
|
||
Comment on attachment 9299369 [details]
Bug 1795815 - Fix cursor intersection detection on OOP iframes. r=jfkthame,smaug
Beta/Release Uplift Approval Request
- User impact if declined: cursor might overlay address bar etc, if it's specified by an OOP iframe.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Create a local file with the contents of comment 8, open it and hover near the top left corner.
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Relatively straight-forward fix that uses the IntersectionObserver machinery.
- String changes made/needed: none
- Is Android affected?: No
Assignee | ||
Updated•2 years ago
|
Comment 15•2 years ago
|
||
Comment on attachment 9299369 [details]
Bug 1795815 - Fix cursor intersection detection on OOP iframes. r=jfkthame,smaug
Approved for 107.0b4.
Comment 16•2 years ago
|
||
uplift |
Updated•2 years ago
|
Comment 17•2 years ago
|
||
I have reproduced this issue on macOS 11, using the local files from comment 8, on an affected Nightly build (20221017213658).
The issue is verified as fixed on Beta 107.0b4 and latest Nightly 108.0a1, across OS's: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.
Updated•2 years ago
|
Comment 18•2 years ago
|
||
Comment on attachment 9299369 [details]
Bug 1795815 - Fix cursor intersection detection on OOP iframes. r=jfkthame,smaug
See comment 14.
Updated•2 years ago
|
Comment 19•2 years ago
|
||
Comment on attachment 9299369 [details]
Bug 1795815 - Fix cursor intersection detection on OOP iframes. r=jfkthame,smaug
Approved for 102.5esr.
Comment 20•2 years ago
|
||
uplift |
Updated•1 year ago
|
Comment 21•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•10 months ago
|
Description
•