websites can call moveTo as many times as they like, moving windows around randomly
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
People
(Reporter: planetman1125, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
steps to reproduce
go to https://mehliug-git.github.io/cool-website/moveto.html
and then click the click me for start the test
then you will notice a message saying it's blocking pop us when in reatily out of full screen you can see the pop up from the website moving around the desktop making it a bit diffult to interact with your pc
if we see how the tor browser and the brave browser approach this for example brave allows this however sets a limit for how many times it can move around the desktop and eventually stops while chrome and firefox just keeps moving the hardcore approach of tor basically doesn't allow this
|
||
Updated•9 months ago
|
|
||
Comment 3•9 months ago
|
||
Firefox supports a pref that disallows this functionality entirely, and Tor is probably using that. I know I set that personally. Otherwise this is following the web spec though so it's hard to call a security vulnerability. We may or may not have an existing bug to change the default pref setting in which case this would be a duplicate, but otherwise this could be that bug.
The pref is dom.disable_window_move_resize
|
||
Updated•9 months ago
|
|
|
||
Comment 4•7 months ago
|
||
I should clarify that the pref I mention in comment 3 prevents using moveTo at all and is a blunt instrument. Allowing the feature but limiting its use to a response to user activation would be a better approach.
|
||
Updated•6 months ago
|
Description
•