Closed Bug 748198 Opened 9 years ago Closed 6 years ago

Don't allow Esc key (and friends) to enter full-screen, open popups, etc

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- fixed

People

(Reporter: jruderman, Assigned: xidorn)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-spoof, sec-want, testcase, Whiteboard: [adv-main38-])

Attachments

(2 files)

Attached file somewhat evil testcase
The following should not be able to trigger full-screen or open popups:

* Esc (reserved for leaving full-screen)
* Modifier keys
* Shortcuts for switching tabs or windows
* Shortcuts for closing tabs or windows
* Shortcuts for going back in session history
* Scrolling keys (other than spacebar) (maybe)
Depends on: 380637
Keywords: csec-spoof
Whiteboard: [sg:want]
Assignee: nobody → quanxunzhen
I'm thinking about excluding Esc and Modifiers from considering as valid user input to open fullscreen and popups. I don't think we should exclude other shortcuts.

The only thing I'm concerned is how excluding those keys will affect the behavior related to AccEvent. It looks that other usage of user input checking is only for fullscreen and popups, but I'm not sure about the AccEvent side.
Attached patch patchSplinter Review
Attachment #8558800 - Flags: review?(bugs)
A few more shortcuts will be excluded in bug 1052569 (assuming it gets fixed), so just excluding Esc and modifiers sounds good here. Thanks, Xidorn!
Attachment #8558800 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/7b12f75099e8
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Whiteboard: [adv-main38-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.