[Webkit-unassigned] [Bug 235836] New: document <body inert=true> fails to block activation from contained svg elements

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 28 14:18:49 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=235836

            Bug ID: 235836
           Summary: document <body inert=true> fails to block activation
                    from contained svg elements
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: iOS 15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: danhite at me.com

I just got ipadOS 15.4beta 1 and was excited to try the new "inert" idl/attribute
which worked as expected wrt the spec (good work, very cool!!);
https://html.spec.whatwg.org/multipage/interaction.html#inert

however the spec itself has a blindspot in that it refers to ~just html elements, ignoring the
<svg> elements integration within html

that is, on very first page I tried testing inert, which describes the inert attribute:
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/inert

^ then setting document.body.inert = true
Immediately I found an oops-isn't-actually-inert misfeature when tapping around the (inert) page suddenly nav'ed me

you see, MDN does their upper left logo/link html <a> as having an <svg> graphic within it

if you replace the innerHTML of their <a> with text (ie html not svg) then the page was satisfactorily inert

but your hit-test-event-dispatch code for a tap within the svg apparently doesn't follow your new html inert logic
since it dispatches and bubbles into the html <a> and thus navs


if the inert feature, in future, were in widespread use, then this spec foo could be a minor security issue, as page authors might
assume they'd locked down ui on a piece sanitized html, but suddenly a simplistic attack gets an activation ala
<svg><a ...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220128/5f9d4ac3/attachment-0001.htm>

More information about the webkit-unassigned mailing list