diff --git a/source b/source index 0043c75901b..17797a86de0 100644 --- a/source +++ b/source @@ -77035,6 +77035,20 @@ body { display:none } revealing algorithm on node.

+

+ + When find-in-page auto-expands a details element like this, it will fire a toggle event. As with the separate scroll event that find-in-page fires, this event could be used by the + page to discover what the user is typing into the find-in-page dialog. If the page creates a tiny + scrollable area with the current search term and every possible next character the user could type + separated by a gap, and observes which one the browser scrolls to, it can add that character to + the search term and update the scrollable area to incrementally build the search term. By wrapping + each possible next match in a closed details element, the page could listen to toggle events instead of scroll + events. This attack could be addressed for both events by not acting on every character the user + types into the find-in-page dialog.

+

Interaction with selection

The find-in-page process is invoked in the context of a document, and may have an effect on