Closed
Bug 1883678
Opened 2 years ago
Closed 2 years ago
Web content can receive and dispatch events used by the screenshot component
Categories
(Firefox :: Screenshots, defect)
Tracking
()
RESOLVED
FIXED
125 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | disabled |
| firefox124 | --- | disabled |
| firefox125 | + | fixed |
People
(Reporter: gregp, Assigned: niklas)
Details
(4 keywords)
Attachments
(2 files)
These events can be observed by web content. Additionally, web content can dispatch these events and the Screenshots component will respond! Not good...
- Screenshots:Close
- Screenshots:Copy
- Screenshots:Download
- Screenshots:RecordEvent
- Screenshots:OverlaySelection
- Screenshots:ShowPanel
- Screenshots:HidePanel
Steps to reproduce:
- Open a fresh profile in Firefox Nightly
- Load the attached test case
Actual results:
The attached test case can observe these events.
The attached test case is able to modify the user's clipboard and downloads folder.
Expected results:
The attached test case can't do that, ideally.
I found this issue while trying to figure out how to write an automated test for bug 1880634.
|
Reporter | |
Updated•2 years ago
|
Version: unspecified → Firefox 125
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → nbaumgardner
Status: NEW → ASSIGNED
|
||
Updated•2 years ago
|
status-firefox123:
--- → disabled
status-firefox124:
--- → disabled
status-firefox125:
--- → affected
tracking-firefox125:
--- → +
|
|
||
Updated•2 years ago
|
status-firefox-esr115:
--- → disabled
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 2•2 years ago
|
||
Note: we're calling this sec-moderate largely because the user has to invoke a screenshot to be vulnerable. If users were vulnerable all the time on every site we'd dig more into worst-casing exactly what the events could do to see if it might be sec-high.
Pushed by nbaumgardner@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c13ff57ddd8d
Dispatch screenshots events to chrome only. r=mconley
|
||
Comment 4•2 years ago
|
||
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
|
|
Reporter | |
Updated•2 years ago
|
Flags: sec-bounty?
|
||
Updated•2 years ago
|
QA Whiteboard: [post-critsmash-triage]
|
|
||
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•1 year ago
|
Keywords: reporter-external
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•