New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826140 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2018
Cc:
sindhu.chelamcherla@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Security issue - Fullscreen without user generated event

Reported by kalpeshs...@gmail.com, Mar 27 2018 
Chrome Version       : 65.0.3325.181
OS Version: OS X 10.12.6
URLs (if applicable) : http://fscreen.rafrex.com/
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari: OK
    Firefox: OK
    IE/Edge:

What steps will reproduce the problem?
1. Visit http://fscreen.rafrex.com/
2. Fire document.querySelector('[role="button"]').click() in the web console
3. You will be in fullscreen mode, which you must not be. Because, 
you fired event from the web console. It must be user generated event.

What is the expected result?
It must deny entering in fullscreen mode with failure reason in web console.

What happens instead of that?
It entered in fullscreen mode.

Please provide any additional information below. Attach a screenshot if
possible.


UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
fullscreen.png
264 KB View Download

Comment 1 by woxxom@gmail.com, Mar 27 2018 

It looks like typing in devtools is considered a user gesture which may be correct AFAICT.
Interestingly, the flag is kept internally for 1 second so the following code will fail:
  setTimeout(() => document.querySelector('[role="button"]').click(), 1001)

Comment 2 by kalpeshs...@gmail.com, Mar 27 2018 

Whoa! This is really interesting.
After 1 second, it works same as Firefox. 

What could be the reason for 1 second delay?

JFYI, According to W3C spec., Fullscreen can only be initiated by a user generated event. Firefox log failure message where as Safari silently deny.

Comment 3 by sindhu.chelamcherla@chromium.org, Mar 27 2018

Cc: sindhu.chelamcherla@chromium.org
Components: Blink>Fullscreen
Labels: -Pri-3 Triaged-ET M-67 Target-67 FoundIn-67 Needs-Triage-M65 OS-Linux OS-Windows Pri-2
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on reported version 65.0.3325.181 and on latest canary 67.0.3381.0 using Mac 10.13.3, Windows 10 and Ubuntu 14.04. Not seeing any error in console, but enters fullscreen.

This issue is seen from M-60. Hence considering this issue as Non-Regression and marking as Untriaged.

Thanks!

Comment 4 by kalp...@clevertap.com, Mar 27 2018 

Thank you Sindhu.

Please keep me updated on this bug and share any knowledge about 1s delay.

Comment 5 by e...@chromium.org, Mar 28 2018

Status: WontFix (was: Untriaged)
As described in comment 1, typing in the console is considered a user gesture (as the user is entering the command). This is working as intended and is not a security issue.

Comment 6 by kalpeshs...@gmail.com, Mar 29 2018 

Extremely apologetic for false alarm.

I have checked it too. It logs error message.

I thought if something can be triggered from devtools then it might trigger by devs.

I will be careful next time before raising bugs.

Thanks you all for your time.

Sign in to add a comment