html icon indicating copy to clipboard operation
html copied to clipboard

Published 20 hours ago verified publisher icon whatwg

Should showPicker() consume user activation?

Open josepharhar opened this issue 1 year ago • 5 comments

What is the issue with the HTML Standard?

https://html.spec.whatwg.org/multipage/input.html#dom-select-showpicker

These steps check for user activation but don't consume it, which allows the page to spam popups from the select element for example and prevent the user from clicking on other content or browser tabs. I got a security bug about this in chrome.

Can we add a step to consume the user activation after checking for it to prevent this abuse? Or would that break something?

@lukewarlow

josepharhar avatar Jan 24 '24 21:01 josepharhar

Does the same issue apply to inputs? The idea with the spec is to match inputs existing behaviour.

lukewarlow avatar Jan 24 '24 21:01 lukewarlow

The security bug was about the fact that the select's popup contains author provided content which can influence the user, so I guess that input.showPicker() might not need to consume user activation while we do consume user activation for the select.showPicker() - any reason not to consume user activation for inputs too?

josepharhar avatar Jan 24 '24 21:01 josepharhar

Other than back compat I can't think of a reason not to

lukewarlow avatar Jan 24 '24 22:01 lukewarlow

I created a PR: https://github.com/whatwg/html/pull/10098

josepharhar avatar Jan 26 '24 22:01 josepharhar

Barring any new feedback, I think Mozilla is supportive of this change. In fact we were already implicitly consuming the user activation for <input type=color> and <input type=file> in Firefox.

evilpie avatar Jan 29 '24 10:01 evilpie