Bug#611354: iceweasel: a page should not be allowed to steal the focus from other elements

Vincent Lefevre vincent at vinc17.net
Fri Jan 28 12:41:50 UTC 2011 

Package: iceweasel
Version: 3.5.16-4
Severity: important
Tags: security

Copy of my bug report from

  https://bugzilla.mozilla.org/show_bug.cgi?id=629412

but note that Firefox 4 nightly doesn't have this problem (and as said
in the comments, focus handling was rewritten for Firefox 3.6). Also
note that this problem is reproducible with "iceweasel -safe-mode".

When opening an identi.ca page, the page steals the focus from other
elements once it has been entirely loaded.

Reproducible: Always

Steps to Reproduce:
1. Open http://identi.ca/ (note: an account may be needed to get
the "What's up" text input.
2. Click in the location bar or the search bar, and start typing
something.

Actual Results:  
Once the page is loaded, what the user types goes to the "What's up" text
input, and if the user types [Enter], the text is posted to identi.ca.

Expected Results:  
The focus should not be stolen from the address or search bar.

Since the text may become public (e.g. with identi.ca), this can be a
security/privacy problem. Thus setting the severity to important.

-- Package-specific info:

-- Extensions information
Name: DOM Inspector
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/inspector at mozilla.org
Package: xul-ext-dom-inspector
Status: enabled

Name: Default
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Dictionnaire français «Classique»
Location: ${PROFILE_EXTENSIONS}/fr-FR at dictionaries.addons.mozilla.org
Status: enabled

Name: Firefox Showcase
Location: ${PROFILE_EXTENSIONS}/{89506680-e3f4-484c-a2c0-ed711d481eda}
Status: enabled

Name: Flagfox
Location: ${PROFILE_EXTENSIONS}/{1018e4d6-728f-4b20-ad56-37578a4de76b}
Status: enabled

Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled

Name: Forecastfox Weather
Location: ${PROFILE_EXTENSIONS}/{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
Status: enabled

Name: Greasemonkey
Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Status: enabled

Name: HeadingsMap
Location: ${PROFILE_EXTENSIONS}/headings at niquelheadings.net
Status: enabled

Name: Link Widgets
Location: ${PROFILE_EXTENSIONS}/linkwidget at clav.mozdev.org
Status: enabled

Name: Live HTTP headers
Location: ${PROFILE_EXTENSIONS}/{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
Status: enabled

Name: Open in Browser
Location: ${PROFILE_EXTENSIONS}/openinbrowser at www.spasche.net
Status: enabled

Name: Pinger
Location: ${PROFILE_EXTENSIONS}/janetka at pinger
Status: enabled

Name: Readability
Location: ${PROFILE_EXTENSIONS}/{6005d9b1-d115-485a-a92a-3f6453ca3fe2}
Status: enabled

Name: SearchStatus
Location: ${PROFILE_EXTENSIONS}/{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
Status: enabled

Name: Stylish
Location: ${PROFILE_EXTENSIONS}/{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
Status: enabled

Name: Tab Mix Plus
Location: ${PROFILE_EXTENSIONS}/{dc572301-7619-498c-a57d-39143191b318}
Status: enabled

Name: Web Developer
Location: ${PROFILE_EXTENSIONS}/{c45c406e-ab73-11d8-be73-000a95be3b12}
Status: enabled

Name: X-Ray
Location: ${PROFILE_EXTENSIONS}/{3f1182ea-3243-4d32-8826-71fb1cc9c328}
Status: enabled

-- Plugins information
Name: DjVuLibre-3.5.23
Location: /usr/lib/netscape/plugins-libc6/nsdejavu.so
Package: djvulibre-plugin
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled


-- Addons package information
ii  browser-plugin 0.8.8-9        GNU Shockwave Flash (SWF) player - Plugin fo
ii  djvulibre-plug 3.5.23-3       Browser plugin for the DjVu image format
ii  iceweasel      3.5.16-4       Web browser based on Firefox
ii  xul-ext-dom-in 1:2.0.8-2      tool for inspecting the DOM of pages in Icew

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils                   3.4.3      Miscellaneous utilities specific t
ii  fontconfig                    2.8.0-2.1  generic font configuration library
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libglib2.0-0                  2.24.2-1   The GLib library of C routines
ii  libgtk2.0-0                   2.20.1-2   The GTK+ graphical user interface 
ii  libnspr4-0d                   4.8.6-1    NetScape Portable Runtime Library
ii  libstdc++6                    4.4.5-10   The GNU Standard C++ Library v3
ii  procps                        1:3.2.8-10 /proc file system utilities
ii  xulrunner-1.9.1               1.9.1.16-4 XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  libgssapi-krb5-2            1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii  mathematica-fonts [ttf-math 12           Installer of Mathematica fonts
pn  mozplugger                  <none>       (no description available)
ii  ttf-lyx                     1.6.7-1      TrueType versions of some TeX font
ii  xfonts-mathml               4            Type1 Symbol font for MathML
pn  xprint                      <none>       (no description available)

Versions of packages xulrunner-1.9.1 depends on:
ii  libasound2             1.0.23-2.1        shared library for ALSA applicatio
ii  libatk1.0-0            1.30.0-1          The ATK accessibility toolkit
ii  libbz2-1.0             1.0.5-6           high-quality block-sorting file co
ii  libc6                  2.11.2-10         Embedded GNU C Library: Shared lib
ii  libcairo2              1.8.10-6          The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.2.24-4          simple interprocess messaging syst
ii  libfontconfig1         2.8.0-2.1         generic font configuration library
ii  libfreetype6           2.4.2-2.1         FreeType 2 font engine, shared lib
ii  libgcc1                1:4.4.5-10        GCC support library
ii  libglib2.0-0           2.24.2-1          The GLib library of C routines
ii  libgtk2.0-0            2.20.1-2          The GTK+ graphical user interface 
ii  libhunspell-1.2-0      1.2.11-1          spell checker and morphological an
ii  libjpeg62              6b1-1             The Independent JPEG Group's JPEG 
ii  libmozjs2d             1.9.1.16-4        The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d            4.8.6-1           NetScape Portable Runtime Library
ii  libnss3-1d             3.12.8-2          Network Security Service libraries
ii  libpango1.0-0          1.28.3-1+squeeze1 Layout and rendering of internatio
ii  libpng12-0             1.2.44-1          PNG library - runtime
ii  libreadline6           6.1-3             GNU readline and history libraries
ii  libsqlite3-0           3.7.4-2           SQLite 3 shared library
ii  libstartup-notificatio 0.10-1            library for program launch feedbac
ii  libstdc++6             4.4.5-10          The GNU Standard C++ Library v3
ii  libx11-6               2:1.3.3-4         X11 client-side library
ii  libxrender1            1:0.9.6-1         X Rendering Extension client libra
ii  libxt6                 1:1.0.7-1         X11 toolkit intrinsics library
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list