Closed
Bug 838999
Opened 12 years ago
Closed 11 years ago
Click To Play Bypass using opaque overlay with pointer-events: none
Categories
(Core Graveyard :: Plug-ins, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: benmmurphy, Unassigned)
References
Details
(Keywords: sec-want)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 Steps to reproduce: Clicked on a div with pointer-events:none with an applet behind it while click to play was enabled. Actual results: The applet started. Expected results: The applet should not have started.
|
||
Updated•12 years ago
|
Group: core-security
Component: Untriaged → Plug-ins
Product: Firefox → Core
Attachment #711217 -
Attachment mime type: text/plain → text/html
Blocks: click-to-play
|
||
Comment 1•12 years ago
|
||
There are more than a few ways to clickjack CTP, I think something like bug 832481 is likely needed in the long run
|
||
Comment 2•12 years ago
|
||
Can we actually fix this without some form of bug 752516 (detecting wether the overlay is partially or fully covered by another element)?
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 3•12 years ago
|
||
shorlander at one point suggested putting some or all of the overlay highest in the z-order so that it was always on top. I'm not sure what sites would break if we tried that.
|
||
Comment 4•12 years ago
|
||
Other potential worries: Can't let the CTP widget be made transparent -- it should be completely resistant to being styled by the page. Can't let it be so big it covers the entire screen, especially not so big that the part with the click-to-play icon/text is off-screen. In fact, we should strongly consider making ONLY the click-to-play icon part activate the plugin (that is, a sort of button) rather than having the entire dark area of arbitrary page-defined size clickable.
|
|
||
Comment 5•12 years ago
|
||
Isn't there an earlier bug to dupe this against? The clickjacking issue was known before we landed the feature but deferred because we needed to ship this sooner given the string of Java fail we've had recently.
Keywords: sec-want
|
|
||
Updated•12 years ago
|
Summary: Click To Play Bypass → Click To Play Bypass using opaque overlay with pointer-events: none
|
|
||
Comment 6•11 years ago
|
||
Can somebody verify that bug 832481 fixed this? The in-page UI isn't visible but should no longer be clickjackable. We may want to make additional changes to the zindex so that the overlay is always on top, but that would just help in preventing user confusion.
Priority: -- → P2
Yes, it seems to be fixed. CTP overlay is visible and is highlighted when the user is hovering it. Clicking on it enable the plugin. Screenshot: http://i.imgur.com/mXFbxuL.jpg
|
|
||
Comment 8•11 years ago
|
||
(In reply to Loic from comment #7) > Yes, it seems to be fixed. CTP overlay is visible and is highlighted when > the user is hovering it. Clicking on it enable the plugin. > Screenshot: http://i.imgur.com/mXFbxuL.jpg That sounds like you have a Java version >7U15 or >6U41 and use explicit click-to-play via about:config. The interesting thing to test here is using a Java version between 7U12 and 7U15 or between 6U39 and 6U41. Those should be forced click-to-play via the block-list. This means that you should not be able to activate them via a single click, but need an additional click on the doorhanger (see bug 832481).
Keywords: qawanted
|
|
||
Comment 9•11 years ago
|
||
> Can somebody verify that bug 832481 fixed this?
|
||
Comment 10•11 years ago
|
||
(In reply to Georg Fritzsche [:gfritzsche] from comment #9) (In reply to Benjamin Smedberg [:bsmedberg] from comment #6) > The in-page UI isn't visible > but should no longer be clickjackable. Confirmed, but the CTP pop-up is still displayed. And remember, bug 832481 is only for vulnerable plugins.
|
|
||
Comment 11•11 years ago
|
||
Then this works as expected for now. The click-to-play redesign will resolve it for non-vulnerable plugins as well, as it will always require activation via the doorhanger.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Comment 12•11 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #10) > Confirmed, but the CTP pop-up is still displayed. > And remember, bug 832481 is only for vulnerable plugins. (In reply to Georg Fritzsche [:gfritzsche] from comment #11) > Then this works as expected for now. > The click-to-play redesign will resolve it for non-vulnerable plugins as > well, as it will always require activation via the doorhanger. Actually this is also fixed for the non-vulnerable plugins once with the new CTP UI. 23.0a1 (2013-04-23) Win 7 x64
Status: RESOLVED → VERIFIED
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•