[Webkit-unassigned] [Bug 235836] New: document <body inert=true> fails to block activation from contained svg elements
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 28 14:18:49 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=235836
Bug ID: 235836
Summary: document <body inert=true> fails to block activation
from contained svg elements
Product: WebKit
Version: Safari Technology Preview
Hardware: iPhone / iPad
OS: iOS 15
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: danhite at me.com
I just got ipadOS 15.4beta 1 and was excited to try the new "inert" idl/attribute
which worked as expected wrt the spec (good work, very cool!!);
https://html.spec.whatwg.org/multipage/interaction.html#inert
however the spec itself has a blindspot in that it refers to ~just html elements, ignoring the
<svg> elements integration within html
that is, on very first page I tried testing inert, which describes the inert attribute:
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/inert
^ then setting document.body.inert = true
Immediately I found an oops-isn't-actually-inert misfeature when tapping around the (inert) page suddenly nav'ed me
you see, MDN does their upper left logo/link html <a> as having an <svg> graphic within it
if you replace the innerHTML of their <a> with text (ie html not svg) then the page was satisfactorily inert
but your hit-test-event-dispatch code for a tap within the svg apparently doesn't follow your new html inert logic
since it dispatches and bubbles into the html <a> and thus navs
if the inert feature, in future, were in widespread use, then this spec foo could be a minor security issue, as page authors might
assume they'd locked down ui on a piece sanitized html, but suddenly a simplistic attack gets an activation ala
<svg><a ...
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220128/5f9d4ac3/attachment-0001.htm>
More information about the webkit-unassigned
mailing list