Closed Bug 1631251 Opened 5 years ago Closed 5 years ago

Website can re-enter fullscreen on ESC key and trap user in fullscreen

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- wontfix
firefox76 + wontfix
firefox77 + verified

People

(Reporter: pbz, Assigned: edgar)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [adv-main77-][post-critsmash-triage])

Attachments

(1 file, 1 obsolete file)

Bug 1631251 - Fullsceen request should consume the transient user activation;
(deleted), text/x-phabricator-request
Details
Blocks: eviltraps

[Tracking Requested - why for this release]:
Sites can lock users into fullscreen, inviting lots of DOS and spoofing possibilities. Try the demo.

Okay, this is really bad. If you try out the POC users can be very easily trapped in fullscreen until they figure out to close the window with Ctrl+W, which I assume is never for some users. The whole system gets taken over that way. This is a sec-high at least, IMO.

Edgar, can you take a look? I think we need to consume the user activation when exiting fullscreen.

status-firefox75: --- → affected
status-firefox76: --- → affected
status-firefox77: --- → affected
tracking-firefox76: --- → ?
Flags: needinfo?(echen)
Priority: -- → P1

This is a sec-high at least, IMO.

Reconsidering this I guess we have similarly bad DOS issues that can kill Firefox instantly which we have categorized as sec-moderate so there's that. Still worth tracking for Beta and possibly release because it's so easy for hackers to exploit for their purposes.

Not a lot of time left this cycle for a fix to ship in 76 (RC is next week), but I'd take a low-risk patch.

Group: core-security → dom-core-security
status-firefox75: affectedwontfix
status-firefox-esr68: --- → unaffected
tracking-firefox76: ?+
tracking-firefox77: --- → +
Assignee: nobody → echen
Flags: needinfo?(echen)

(In reply to Johann Hofmann [:johannh] from comment #1)

Edgar, can you take a look? I think we need to consume the user activation when exiting fullscreen.

Only consuming the user activation seems not enough because keydown event is also considered as an user-activation event.
Blink also treat keydown as an user-activation event, but filters out ESC key, we probably should also do the same thing.

Blocks: 1577516
Attachment #9142818 - Attachment is obsolete: true

https://hg.mozilla.org/integration/autoland/rev/14c8489ad453cd7ac01d9b406d5a5f3f8121a022
https://hg.mozilla.org/mozilla-central/rev/14c8489ad453

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

Reproduced the initial issue on version 77.0a1 (2020-04-19) using Windows 10.
Verified - Fixed in version Nightly 77.0a1 (2020-05-01) (build id: 20200501094247) using Windows 10, Windows 7, MacOs 10.15.5 and Ubuntu 18.04.

Status: RESOLVED → VERIFIED
status-firefox77: fixedverified
Flags: qe-verify+
Whiteboard: [post-critsmash-triage] → [adv-main77-][post-critsmash-triage]
Group: core-security-release
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: