Closed Bug 1846205 (CVE-2023-5726) Opened 1 year ago Closed 1 year ago

File picker should cause the browser window to lose focus on Mac

Categories

(Core :: Widget: Cocoa, defect, P3)

defect

Tracking

()

VERIFIED FIXED
120 Branch
Tracking Status
firefox-esr115 119+ verified
firefox118 --- wontfix
firefox119 + verified
firefox120 + verified

People

(Reporter: edgar, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [adv-main119+][adv-ESR115.4+])

Attachments

(2 files)

+++ This bug was initially created as a follow-up of Bug #1821884 comment# 40 +++

It appear that opening a file picker doesn't cause the browser window to lose focus on Mac (web content doesn't receive the blur event), so the solution in bug 1821884 doesn't work on Mac. I tested Chrome and Safari on Mac, both of them move the focus out of browser window when the file picker is opened, we probably should do the same.

(In reply to Edgar Chen [:edgar] from comment #0)

+++ This bug was initially created as a follow-up of Bug #1821884 comment# 40 +++

It appear that opening a file picker doesn't cause the browser window to lose focus on Mac (web content doesn't receive the blur event), so the solution in bug 1821884 doesn't work on Mac. I tested Chrome and Safari on Mac, both of them move the focus out of browser window when the file picker is opened, we probably should do the same.

When opening the file picker, the window control buttons in the top left corner change as if the window was losing focus. Is it possible that the window loses focus correctly, but that web content doesn't receive the expected blur event?

Severity: -- → S3
Flags: needinfo?(echen)
Priority: -- → P3

Yes, it is possible that browser window doesn't receive the WindowDeactivated notification, so it doesn't update the focus state properly.

Flags: needinfo?(echen)
See Also: → 1848423
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a9c4719acd72 Use key state change to send activate/deactivate event when a modal window is opened; r=spohl,mac-reviewers
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch

The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox119 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(echen)

Comment on attachment 9348977 [details]
Bug 1846205 - Use key state change to send activate/deactivate event when a modal window is opened; r?mstange,#mac-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Fullscreen warning notification is overlapped by file picker, which could lead to address bar UI spoofing on macOS.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Same steps as https://bugzilla.mozilla.org/show_bug.cgi?id=1821884#c40
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This make the cocoa widget send activate/deactivate event properly when modal window is opened, should be safe.
  • String changes made/needed: None
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is not a sec-high/crit bug, but this patch make the solution of bug 1821884 working on macOS.
  • User impact if declined: fullscreen warning notification is overlapped by file picker, which could lead to address bar UI spoofing.
  • Fix Landed on Version: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This make the cocoa widget send activate/deactivate event properly when modal window is opened, should be safe.
Flags: needinfo?(echen)
Attachment #9348977 - Flags: approval-mozilla-esr115?
Attachment #9348977 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9348977 [details]
Bug 1846205 - Use key state change to send activate/deactivate event when a modal window is opened; r?mstange,#mac-reviewers

Approved for 119.0b4

Attachment #9348977 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9348977 [details]
Bug 1846205 - Use key state change to send activate/deactivate event when a modal window is opened; r?mstange,#mac-reviewers

Approved for 115.4esr

Attachment #9348977 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
QA Whiteboard: [qa-triaged]

Reproduced with Fx 117.0a1 (2023-07-31) on macOS 13.
Verified fixed with Fx 120.0a1 (2023-10-02), Fx 119.0b4 and Fx ESR 115.4 (treeherder build) on macOS 13.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [adv-main119+r]
Whiteboard: [adv-main119+r] → [adv-main119+][adv-ESR115.4+]
Attached file advisory.txt
Alias: CVE-2023-5726
Regressions: 1875416

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: