Pressing Esc key while storage access prompt is open grants access but should block
Categories
(Firefox :: Site Identity, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | wontfix |
| firefox66 | --- | verified |
| firefox67 | --- | verified |
People
(Reporter: aryx, Assigned: ehsan.akhgari)
References
Details
(Whiteboard: [privacy65])
Attachments
(2 files)
Firefox Nightly 65.0a1 20181230093119 Pressing the Esc key the while storage access prompt is open grants access but should block (because that is styled as the primary action). Steps to reproduce, from https://testrail.stage.mozaws.net/index.php?/cases/view/226129 Preconditions Set the following preferences in about:config : * Make sure dom.storage_access.enabled is TRUE (default in Nightly) * Make sure urlclassifier.trackingAnnotationTable.testEntries is set to "storage-access.englehardt-tracker.com,imminent-archeology.glitch.me". * Make sure network.cookie.cookieBehavior is 4 (default in Nightly) * Make sure dom.storage_access.auto_grants is FALSE 1. Open the Firefox Browser and set the preferences from the Preconditions section. 2. Reach https://storage-access.englehardt-tracker.com/index.html and Click anywhere on the page. Reach https://imminent-archeology.glitch.me/ and Click anywhere on the page. 3. Reach https://ehsanakhgari.org/test/storage_access/ 4. Click the "Call document.hasStorageAccess()" button from the Top 2 frames. The "False" text is returned since the Storage Access is Blocked with the STANDARD option selected. 5. Click the "Set and Get cookie via document.cookie" button from the Top 2 frames. Expected: The message: Trying to set cookie with value: 0.random number Your current non-HTTPonly cookies are: is blank since the Storage Access is Blocked. 6. Click the Call document.requestStorageAccess() button from the Top 2 frames. The Permission Prompt is displayed: Will you give storage-access.englehardt-tracker.com access to track your browsing activity on senglehardt.com? You may want to block storage-access on this site if you dont recognize or trust it. Learn more about third-party trackers. message is displayed. 7. Press the Esc key to dismiss the Permissions prompt. Expected: The "Access Denied" message is displayed. Reality: "access granted" is shown.
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
|
||
Johann, how does Esc handling normally work with these permission prompts? Any chance you could please point me to the code involved? Thanks!
|
|
||
Comment 2•5 years ago
|
||
For consistency reasons (which our team ignored :/) the ESC key triggers the secondary action of the doorhanger. In all other permission prompts that means "Deny" and so it works. If we want to change it we'd need a new option for the PopupNotifications API that modifies this behavior: https://searchfox.org/mozilla-central/rev/c21d6620d384dfb13ede6054015da05a6353b899/toolkit/modules/PopupNotifications.jsm#256 to trigger "buttoncommand" instead.
I hope that helps, let me know if you have more questions :)
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
Depends on D16736
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/95fee3425c55 Part 1: Make sure browser_storageAccessDoorHanger.js passes by packaging its depenencies correctly; r=johannh https://hg.mozilla.org/integration/mozilla-inbound/rev/fe40c77b54b4 Part 2: Make sure the storage access API prompt is denied when pressing Esc; r=johannh
|
||
Comment 6•5 years ago
|
||
Backed out 2 changesets (bug 1516889) for failing browser_storageAccessDoorHanger.js
push that caused the backout: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&selectedJob=223050356&revision=fe40c77b54b48f19c629aea383a26af668239402
backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/03e18916050fe434ef09f7e695d52091f4aa3ee0
|
|
Assignee | |
Updated•5 years ago
|
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/11d24ce31126 Part 1: Make sure browser_storageAccessDoorHanger.js passes by packaging its depenencies correctly; r=johannh https://hg.mozilla.org/integration/mozilla-inbound/rev/018c76dba8fa Part 2: Make sure the storage access API prompt is denied when pressing Esc; r=johannh
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/11d24ce31126
https://hg.mozilla.org/mozilla-central/rev/018c76dba8fa
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 9•5 years ago
|
||
Verified as fixed on Firefox Nightly 67.0a1 and Firefox 66.0b3 on Windows 10 x 64, Windows 7 x32, Mac OS X 10.13 and on Ubuntu 16.04 x64.
Description
•