[Webkit-unassigned] [Bug 235836] document <body inert=true> fails to block activation from contained svg elements
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jan 29 08:48:10 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=235836
Sam Sneddon [:gsnedders] <gsnedders at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ntim at apple.com
--- Comment #1 from Sam Sneddon [:gsnedders] <gsnedders at apple.com> ---
(In reply to Dan Hite from comment #0)
> I just got ipadOS 15.4beta 1 and was excited to try the new "inert"
> idl/attribute
> which worked as expected wrt the spec (good work, very cool!!);
> https://html.spec.whatwg.org/multipage/interaction.html#inert
>
> however the spec itself has a blindspot in that it refers to ~just html
> elements, ignoring the
> <svg> elements integration within html
pretty sure from a spec POV it applies to the entire subtree, regardless of whether they're HTML or SVG or MathML or anything else
>
> that is, on very first page I tried testing inert, which describes the inert
> attribute:
> https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/inert
>
> ^ then setting document.body.inert = true
> Immediately I found an oops-isn't-actually-inert misfeature when tapping
> around the (inert) page suddenly nav'ed me
>
> you see, MDN does their upper left logo/link html <a> as having an <svg>
> graphic within it
>
> if you replace the innerHTML of their <a> with text (ie html not svg) then
> the page was satisfactorily inert
>
> but your hit-test-event-dispatch code for a tap within the svg apparently
> doesn't follow your new html inert logic
> since it dispatches and bubbles into the html <a> and thus navs
>
>
> if the inert feature, in future, were in widespread use, then this spec foo
> could be a minor security issue, as page authors might
> assume they'd locked down ui on a piece sanitized html, but suddenly a
> simplistic attack gets an activation ala
> <svg><a ...
That said, this does sound like a bug in WebKit…
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220129/d527c3d8/attachment.htm>
More information about the webkit-unassigned
mailing list