User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

Whilst performing some recent security testing, I noticed that Firefox appears to allow sites to automatically run the <input type="color"> HTML tag on a web page - without the user needing to interact with an element to trigger this function. IN my case, this resulted in the loaded web page presenting the standard Windows Color dialog - when dismissed, as soon as I attempted to move the cursor on this particular web page it was once again automatically presented. Whilst I was unable to identify any security implications of this, this has the ability to cause confusion for users - especially if they're not able to easily close the page due to this presenting itself each time that the cursor is moved on the page.

Expected results:

We could consider only allowing this picker to be triggered when a user interacts with an element on a web page.

Setting a component for this enhancement in order to get the dev team involved.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.

This could have been better handled if we implemented it as a custom non-modal dialog. Anne, do you think the spec should require an activation check here?

I can make it appear with click() in Chrome too, though it uses a non-modal dialog rather than a popup window. I suspect that requiring user interaction would break certain websites at this point.

IIRC we changed the behavior because some sites were relying on Chrome's behavior
(but would need to check the blame to ensure that.)

In bug 1670795 somebody seems to have stumbled upon a real world evil page using this vector.