diff --git a/source b/source index 0043c75901b..17797a86de0 100644 --- a/source +++ b/source @@ -77035,6 +77035,20 @@ body { display:none } revealing algorithm on node.
+
+
+ When find-in-page auto-expands a details
element like this, it will fire a toggle
event. As with the separate scroll
event that find-in-page fires, this event could be used by the
+ page to discover what the user is typing into the find-in-page dialog. If the page creates a tiny
+ scrollable area with the current search term and every possible next character the user could type
+ separated by a gap, and observes which one the browser scrolls to, it can add that character to
+ the search term and update the scrollable area to incrementally build the search term. By wrapping
+ each possible next match in a closed details
element, the page could listen to toggle
events instead of scroll
+ events. This attack could be addressed for both events by not acting on every character the user
+ types into the find-in-page dialog.
The find-in-page process is invoked in the context of a document, and may have an effect on