[Webkit-unassigned] [Bug 235836] document <body inert=true> fails to block activation from contained svg elements

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jan 29 08:48:10 PST 2022


Sam Sneddon [:gsnedders] <gsnedders at apple.com> changed:

           What    |Removed                     |Added
                 CC|                            |ntim at apple.com

--- Comment #1 from Sam Sneddon [:gsnedders] <gsnedders at apple.com> ---
(In reply to Dan Hite from comment #0)
> I just got ipadOS 15.4beta 1 and was excited to try the new "inert"
> idl/attribute
> which worked as expected wrt the spec (good work, very cool!!);
> https://html.spec.whatwg.org/multipage/interaction.html#inert
> however the spec itself has a blindspot in that it refers to ~just html
> elements, ignoring the
> <svg> elements integration within html

pretty sure from a spec POV it applies to the entire subtree, regardless of whether they're HTML or SVG or MathML or anything else

> that is, on very first page I tried testing inert, which describes the inert
> attribute:
> https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/inert
> ^ then setting document.body.inert = true
> Immediately I found an oops-isn't-actually-inert misfeature when tapping
> around the (inert) page suddenly nav'ed me
> you see, MDN does their upper left logo/link html <a> as having an <svg>
> graphic within it
> if you replace the innerHTML of their <a> with text (ie html not svg) then
> the page was satisfactorily inert
> but your hit-test-event-dispatch code for a tap within the svg apparently
> doesn't follow your new html inert logic
> since it dispatches and bubbles into the html <a> and thus navs
> if the inert feature, in future, were in widespread use, then this spec foo
> could be a minor security issue, as page authors might
> assume they'd locked down ui on a piece sanitized html, but suddenly a
> simplistic attack gets an activation ala
> <svg><a ...

That said, this does sound like a bug in WebKit…

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220129/d527c3d8/attachment.htm>

More information about the webkit-unassigned mailing list