Multiple requestFullScreen repeatedly then launch window with same window name able to overlap fullscreen notification toast
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
People
(Reporter: sourc7, Assigned: edgar)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main112+][adv-esr102.10+])
Attachments
(4 files)
4.48 KB,
text/html
|
Details | |
2.75 MB,
video/mp4
|
Details | |
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
321 bytes,
text/plain
|
Details |
After launch new popup window then repeatedly call multiple requestFullscreen using setInterval and launch popup window with same windowName interestingly it able to overlap fullscreen notification toast.
I have tested this works on Linux X11 and Wayland.
Tested on:
- Firefox Nightly 111.0a1 (2023-02-01) (64-bit) on Arch Linux KDE and Ubuntu 22.10
- Firefox 109.0.1 (64-bit) on Arch Linux KDE
Steps to reproduce
- Visit attached testcase.html
- Click "newWindow" button
- Click "Spoof" button on Main Window
- Re-click "Spoof" if child window not maximized or browser not goes into full-screen
- Browser goes into full-screen and overlapped by popup window
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
It looks like related to my reported Bug 1798219 which involve fullscreen race condition + reuse popup window, this one is more reliable and straight-forward to reproduce.
Updated•2 years ago
|
Comment 4•2 years ago
|
||
It's more plausible you could elicit this set of actions from a user. Not completely sold on the rating, but it does seem more "high" ish.
note: if, like me, you have disabled the ability to resize, move, and close windows this testcase won't work; you will have to revert those prefs. We really ought to make those the defaults for people -- no one's using those abilities for anything good.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
There are two things need to check,
1). We don’t check user gestures on window.open() which is to open an existing window (with the same window name), but Chrome does, need to check how Webkit behaves and also spec.
2). I cannot reproduce the issue on macOS, seems like requesting fullscreen to cocoa widget will bring a background widget window to foreground, have not yet checked Windows.
Assignee | ||
Comment 6•2 years ago
•
|
||
(In reply to Edgar Chen [:edgar] from comment #5)
2). I cannot reproduce the issue on macOS, seems like requesting fullscreen to cocoa widget will bring a background widget window to foreground, have not yet checked Windows.
Hmm, I think the reason that I could not reproduce this on macOS is because of the fullscreen transition,
https://searchfox.org/mozilla-central/rev/3ede9deb876ad5d6389cb51b371d4a4c8d788deb/modules/libpref/init/all.js#3381-3388, which delay the fullscreen request a bit and make the fullscreen request could switch focus back to the fullscreen window. If I turn the fullscreen transition off, I could also reproduce this on macOS.
Assignee | ||
Comment 7•2 years ago
|
||
In this case, window.open()
which would bring the existing window get called before the requestFullscreen()
, but parent process receive the request to raise the popup window after the fullscreen request, I think it is hard to ensure the request order that arrives parent process, but anyway, we should leave fullscreen if another window get raised.
FocusManager
tries to handle that in https://searchfox.org/mozilla-central/rev/aa3ccd258b64abfd4c5ce56c1f512bc7f65b844c/dom/base/nsFocusManager.cpp#1659-1687, but it doesn't work for this case. And it doesn't work for the case that window is raised by clicking link, either. We should fix them together.
Assignee | ||
Comment 8•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 9•2 years ago
|
||
Comment on attachment 9321006 [details]
Bug 1814597; r?smaug
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The patch likely makes it obvious what the issue might be.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: I would expect that this patch could apply to all branches directly.
- How likely is this patch to cause regressions; how much testing does it need?: Should be safe as we have multiple existing tests cases for different scenarios, e.g.
- https://searchfox.org/mozilla-central/rev/2af0d81d29bcd264083e04a2473d82a91f0f7eb6/browser/base/content/test/fullscreen/browser_fullscreen_window_focus.js
- https://searchfox.org/mozilla-central/rev/2af0d81d29bcd264083e04a2473d82a91f0f7eb6/browser/base/content/test/fullscreen/browser_fullscreen_window_open.js
And more tests will be added in bug 1819756.
- Is Android affected?: No
Comment 10•2 years ago
|
||
Comment on attachment 9321006 [details]
Bug 1814597; r?smaug
Approved to land and uplift.
Updated•2 years ago
|
Comment 11•2 years ago
|
||
r=smaug
https://hg.mozilla.org/integration/autoland/rev/f75229a5f6abc1d6c52537c3ff08e966285767a4
https://hg.mozilla.org/mozilla-central/rev/f75229a5f6ab
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 13•2 years ago
|
||
Comment on attachment 9315566 [details]
Firefox - Multiple requestFullscreen repeatedly + reuse popup window name able to overlap fullscreen toast.mp4
Beta/Release Uplift Approval Request
- User impact if declined: Fullscreen warning notification is overlapped by popup window, which could lead to address bar UI spoofing.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Follow steps in comment# 0.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Should be safe as we have multiple existing tests cases for different scenarios, e.g.
- https://searchfox.org/mozilla-central/rev/2af0d81d29bcd264083e04a2473d82a91f0f7eb6/browser/base/content/test/fullscreen/browser_fullscreen_window_focus.js
- https://searchfox.org/mozilla-central/rev/2af0d81d29bcd264083e04a2473d82a91f0f7eb6/browser/base/content/test/fullscreen/browser_fullscreen_window_open.js
- And more tests will be added in bug 1819756.
- String changes made/needed: None
- Is Android affected?: No
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 14•2 years ago
|
||
Comment on attachment 9321006 [details]
Bug 1814597; r?smaug
Approved for 112.0b3
Comment 15•2 years ago
|
||
uplift |
Updated•2 years ago
|
Comment 16•2 years ago
|
||
Comment on attachment 9321006 [details]
Bug 1814597; r?smaug
Approved for 102.10esr
Comment 17•2 years ago
|
||
uplift |
Comment 18•2 years ago
|
||
I was able to reproduce the bug using the STR from comment 0, on an affected Nightly build (2023-02-02). I've checked with macOS 11.
The issue is verified as fixed on latest Nightly 113.0a1 and Beta 112.0b4 under macOS 11, Win 10 x64 and Ubuntu 18.04 x64. I'll verify this on ESR 102.10 as well once the builds are available in treeherder.
Updated•2 years ago
|
Comment 19•2 years ago
|
||
This is also verified as fixed on Esr 102.10, under macOS 11, Win 11 and Ubuntu 18.04 x64.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 20•2 years ago
|
||
Updated•2 years ago
|
Updated•1 year ago
|
Updated•6 months ago
|
Description
•