Firefox: Consider disabling the ability for pages to automatically trigger the standard Color Picker
Categories
(Core :: DOM: Core & HTML, enhancement)
Tracking
()
People
(Reporter: elliottabarnes, Unassigned)
References
(Blocks 2 open bugs)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Steps to reproduce:
Whilst performing some recent security testing, I noticed that Firefox appears to allow sites to automatically run the <input type="color"> HTML tag on a web page - without the user needing to interact with an element to trigger this function. IN my case, this resulted in the loaded web page presenting the standard Windows Color dialog - when dismissed, as soon as I attempted to move the cursor on this particular web page it was once again automatically presented. Whilst I was unable to identify any security implications of this, this has the ability to cause confusion for users - especially if they're not able to easily close the page due to this presenting itself each time that the cursor is moved on the page.
Expected results:
We could consider only allowing this picker to be triggered when a user interacts with an element on a web page.
Comment 1•4 years ago
|
||
Setting a component for this enhancement in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.
This could have been better handled if we implemented it as a custom non-modal dialog. Anne, do you think the spec should require an activation check here?
Updated•4 years ago
|
Comment 3•4 years ago
|
||
I can make it appear with click()
in Chrome too, though it uses a non-modal dialog rather than a popup window. I suspect that requiring user interaction would break certain websites at this point.
Comment 4•4 years ago
|
||
IIRC we changed the behavior because some sites were relying on Chrome's behavior
(but would need to check the blame to ensure that.)
Updated•4 years ago
|
Comment 6•4 years ago
|
||
In bug 1670795 somebody seems to have stumbled upon a real world evil page using this vector.
Updated•1 year ago
|
Description
•