According to .mario, the click-to-play feature is clickjackable. Users could be tricked into enabling plugins and opening the attack surface of blocked plugins. From his tweet at https://twitter.com/0x6D6172696F/status/291861651907563520 (his account protected): > Why exactly is Firefox's Click-To-play overlay "clickjackable"? > http://bit.ly/U3fqkW Code-exec just one invisible click away His main point is that the click-to-play features is an overlay in the DOM. If the yes/no/never button was in the main browser window instead (like our geolocation prompt, as chrome does it), this issue would not arise. I'm marking this as core security, but feel free to lift this restriction if you oppose.
Well, this probably doesn't need to be core-security, because it's not really a secret. I think bug 838999 was opened in response to this tweet. If I recall correctly, there's also another bug along similar lines but with a different mechanism. The original specification for the feature explicitly stated that click-jacking prevention was out of scope. Now that we've got the initial implementation, we're going back and re-working some of the UI partly for this exact reason. There's a thread in dev.apps.firefox ("Click-to-play design wireframes") for anyone curious.
Created attachment 722985 [details] [diff] [review] prototype Here's a quick implementation of one idea we had ( http://cl.ly/image/3m202H2R001J ) My current approach is actually pretty terrible for multiple reasons: - I feel like I'm reinventing all the wheels - xul popup panels don't work unless the root binding (I think?) is xul. This means that I can't put a panel in the plugin problem binding and have it work on a per-element basis. So, I had to put a panel in browser.xul, which has all sorts of problems. Any feedback would be appreciated.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
I'm just going to mark this a duplicate.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 832481
You need to log in before you can comment on or make changes to this bug.