[HN Gopher] Safari on iOS can overlap multiple full-screen videos
___________________________________________________________________
Safari on iOS can overlap multiple full-screen videos
Author : mmazzarolo
Score : 97 points
Date : 2022-06-16 16:01 UTC (6 hours ago)
(HTM) web link (mmazzarolo.com)
(TXT) w3m dump (mmazzarolo.com)
| influx wrote:
| Did you report this to Apple?
| mmazzarolo wrote:
| I did not. I already wasted enough time and energy in the past
| reporting a security vulnerability in Safari's CSP to know that
| reporting it is not worth it.
| imbnwa wrote:
| HN/Tech industry social media part-times as a tracker anyway
| aaaaaaaaaaab wrote:
| It is well known that reporting anything to Apple is a waste of
| time.
| nojito wrote:
| Based on what exactly? There have been a bunch of reported
| bugs fixed in the last 24 hours.
|
| https://bugs.webkit.org/buglist.cgi?chfield=%5BBug%20creatio.
| ..
| saagarjha wrote:
| Most of those are bugs filed by Apple employees to back the
| commits they'd like to get merged.
| theseobosscom wrote:
| I recently experienced almost the same bug, I opened YouTube in a
| normal tab and was able to play another video in a private tab
| and both videos played simultaneously.
| mh- wrote:
| That feels like a bug worth independently filing. I'm not sure
| what I expected the behavior of a private tab to be, when
| "backgrounded" in favor of a normal one, but it's not that.
| smoldesu wrote:
| Definitely looks like the kind of bug I'd find exploited on early
| Internet Explorer. Open a suspicious tab, get spammed with
| fullscreen ads! Now _that 's_ thinking differently.
| isodev wrote:
| I have a project where this is a legitimate use case. Indeed,
| Safari was the only browser where it was possible to implement
| without trickeries... eventually the team managed to get a
| version for Firefox snd chromiums as well (on desktop too).
| Thorrez wrote:
| What is the use case?
| smoldesu wrote:
| What is your legitimate use-case for opening multiple
| overlapping fullscreen video players?
| code_duck wrote:
| The worst experience I've had on iOS, fairly recently, was
| clicking on a search result and being redirected to a dodgy
| website which displayed a "your phone has a virus!" pop up,
| started attempting to call a phone number repeatedly, and
| somehow corrupted the OS to where I saw a distorted version of
| the left-hand slide menu from the home screen, could not go to
| the home screen, close the app or reboot. I managed to reboot
| through a different method but it's made me very wary of going
| to random websites on my phone.
| r00fus wrote:
| I've never had this kind of experience for the past 14 years
| on iOS. How could a website get access to call numbers
| without interaction?
| code_duck wrote:
| I have encountered websites attempting to call a number,
| but not repeatedly prior to that. I assume it's through
| JavaScript, of course.
|
| It pops up an interface on the lower side of the screen
| asking "do you want to dial this number?" or something like
| that. This seems to be the relevant doc: https://developer.
| apple.com/library/archive/featuredarticles...
| Operyl wrote:
| It's spamming the modal asking if you want to call x phone
| number, probably.
| code_duck wrote:
| The corruption of the interface was the most disturbing
| thing. It was showing the left-hand slide home screen
| menu offset, overlapping with other elements, without any
| ability to interact with it. It must be some sort of
| memory corruption vulnerability, I assume. Apple did an
| update a week or two later which addressed some sort of
| zero day... So clearly I was wondering exactly how hacked
| my phone might have been. I was able to reboot and it has
| seems OK, but who knows.
| Operyl wrote:
| Apple addresses zero days and security related bugs every
| single update, I wouldn't get paranoid about a visual
| glitch on its own honestly.
| code_duck wrote:
| It prevented me from launching, switching or killing any
| apps or rebooting the phone. The phone was entirely
| unusable until I figured out how to reboot. That's more
| than visual. My impression is that is was memory only,
| but it was extremely suspicious. It's quite possible that
| data was exfiltrated.
| Operyl wrote:
| Simply locking up Springboard with a DoS doesn't
| necessarily mean your were breached on the device. It's
| more likely that nothing came of it, exfiltrating data
| would involve breaching a lot of sandboxing and we'd be
| seeing a lot more chatter about that honestly.
| code_duck wrote:
| Sure, there's been no evidence of anything wrong since
| then, either with my phone or related accounts. Apple did
| fix a couple 0 days with more serious implications
| shortly after this, but it's not as if I or a random
| search result website would be worth someone using a 0
| day.
| Maursault wrote:
| A bug is an error in source code that causes a program to
| produce unexpected results or crash altogether, i.e. something
| that doesn't work, something broken; the user initiates an
| action, the action fails or program crashes. That isn't what
| this is. This is the user intentionally opening multiple
| overlapping fullscreen videos. You can make a computer saturate
| its processor indefinitely with a while-loop, but doesn't make
| it a bug.
| mmazzarolo wrote:
| I would still consider a missing safety check (like in this
| case, to check if there's already a full screen video open)
| as a bug.
| Maursault wrote:
| And I'd agree, except that this behavior _is an advertised
| feature_ of the of the system, iow, if you open multiple
| fullscreen videos, you should expect to see what is seen as
| opposed to Safari crashing or the system crashing.
| Thorrez wrote:
| Where is it advertised?
| Maursault wrote:
| Back in 2010 with the release of iOS 4 and it's
| multitasking feature, and probably also in 2020 with iOS
| 14's Picture in Picture mode.
| Thorrez wrote:
| Hmm, is opening a fullscreen video considered opening a
| new application, or is it considered a single application
| (the browser) displaying different content? I thought it
| was the second case, so multitasking I don't think
| applies. Same for desktop chrome, when it shows a
| fullscreen video, that's not a new application, just the
| browser displaying content in a new way.
|
| For picture in picture mode, I don't think multiple
| fullscreen videos should be a valid configuration of
| picture in picture.
| function_seven wrote:
| The user isn't the one intentionally opening these
| overlapping videos. The site they're visiting is making that
| request, and the browser is honoring it.
|
| This is a bug. These are unexpected results! And as the
| article notes, "sometimes this behavior makes Safari crash."
|
| So a website can make your browser crash by getting it to do
| something nonsensical (opening 30 overlapping full screen
| videos), without your forewarning that this could happen.
|
| You can quibble and say it's a "misfeature" or similar, but
| I'm not sure that means much.
| Maursault wrote:
| > The user isn't the one intentionally opening these
| overlapping videos.
|
| Yes, he absolutely is, and the proof is
|
| > So here's a tiny web page I created to play with it.
|
| What OP is reporting is more accurately described as a
| possible memory overflow exploit. The software appears to
| be operating as designed, but a malicious attacker might be
| able to exploit the behavior to do bad things, though this
| is not exactly _necessarily_ true, and we won 't know until
| we see it happen.
| SigmundA wrote:
| >Yes, he absolutely is, and the proof is
|
| No they aren't there is a button that the user clicks
| that runs code to play multiple overlapping videos. This
| serves no conceivable purpose and can cause the browser
| to crash, it is a bug.
|
| The reason it works is the code is run from a user
| action, the problem is after the first video play the
| browser should no longer consider the subsequent plays a
| user action, or it should only play the last video and
| cleanup the now overlapped previous video.
| Maursault wrote:
| You're talking about design choices, not errors or
| software bugs. You have a design preference that more
| than one fullscreen video should not be permitted. But
| this is entirely an arbitrary preference. There is
| absolutely nothing inherently wrong (ethically or design-
| wise) with multiple overlapping fullscreen videos, though
| the OP is describing a very particular case that is
| strange, which is having multiple instances of the same
| video playing fullscreen. It's still not a bug. This is
| interface design.
| function_seven wrote:
| > _You have a design preference that more than one
| fullscreen video should not be permitted._
|
| I think this is where you and I are talking past each
| other. I'm not saying that multiple videos shouldn't be
| allowed. That's not the problem here.
|
| The problem is that Safari has a mechanism to ensure that
| the user wants a video to play. That mechanism looks for
| some UI action on the user's part before it will allow a
| site to launch the video player. With this new multiple-
| video feature, that mechanism is now broken. It'll say,
| "Hey you want to play this video? Yeah, ok, I will allow
| it, _and any other video the site wants to spam you with
| now_. "
|
| That italicized part is the bug. It shouldn't assume the
| UI action applies to an arbitrary number of separate
| videos.
|
| The video player is fine. That's the design choice. The
| Safari code not accounting for that is the bug.
| jaywalk wrote:
| The person who created the web page is the user? I think
| you've got that backwards.
| stonemetal12 wrote:
| He found a bug and made a proof of concept webpage to
| demonstrate it. So when he talks about it he is both the
| user and the author of the web page. In general You
| wouldn't expect them to be the same person.
| function_seven wrote:
| This is weird. Okay, so it may not be a software bug at
| all, but I'm gonna move these goalposts and insist this
| is a product design bug, or something.
|
| If this is intentional behavior, I don't understand the
| point. A full-screen video should be the only one playing
| IMO. Playing multiple (windowed) videos is one thing, but
| having 30 of them overlap full screen is quite another.
| And with no affordances to mass-terminate them, the
| result is unwanted behavior.
|
| So: not a bug in the "off-by-one" or "use-after-free"
| sense, but damn if it ain't a close cousin.
| Maursault wrote:
| > Playing multiple (windowed) videos is one thing, but
| having 30 of them overlap full screen is quite another.
|
| Behavior can be duplicated on any modern computer, i.e.
| you can have as many overlapping fullscreen windows as
| memory will tolerate, probably thousands and much more
| than that. Why would anyone want to do that? To cry
| "bug," I imagine.
|
| It may not be intentional design, but my point is that
| _this is not a bug,_ by the definition of what a bug is.
| There is no actual error here. The code is operating as
| expected. There may be issues with the interface design,
| but there also very well may not be.
| bentcorner wrote:
| > It may not be intentional design, but my point is that
| this is not a bug, by the definition of what a bug is.
| There is no actual error here. The code is operating as
| expected. There may be issues with the interface design,
| but there also very well may not be.
|
| Is this a useful distinction? The user expects something,
| the designer expects something different. Just the other
| day I read about Jeep's Monostable Shifter
| (https://www.youtube.com/watch?v=jD1-aQSO5Hg) and how it
| was attributed to people getting hurt or dying. It's
| operating exactly as designed and intended but was still
| recalled.
| function_seven wrote:
| > _The code is operating as expected_
|
| I highly doubt this. When Apple rolled out multiple video
| support, they did not expect that a random website could
| --having gained permission to spawn one video player--
| reuse that blessing 29 more times.
|
| The browser will prevent auto-playing videos from
| spawning absent a user interaction. This is a feature
| that prevents pop-up hell. With this change, they failed
| to update the "make sure user is cool with this" code.
|
| It's a regression, and will be fixed in an update or I
| eat my hat.
|
| Again, I know this isn't some "error found on line 384 of
| vid.cpp" or whatever, but it's definitely not the way
| Apple wants this to work.
|
| My desktop browsers won't do this, nor any other browser
| I've used in the past 10 years.
| Maursault wrote:
| Design choices, that's all.
|
| mobile Safari is a little different than desktop
| browsers. It uses the same engine as desktop Safari, but
| I've always suspected the video player is not built-in to
| the browser, but instead a separate and discrete
| application. I suspect this because every other
| application appears to have an identical video player.
| Maybe they're all sharing code, but more likely the video
| player is system-available to any application. But
| running multiple instances of that video player on iOS is
| academic. Why you're not able to duplicate this in any of
| your desktop browsers in the last decade is anyone's
| guess.
| SigmundA wrote:
| >Why you're not able to duplicate this in any of your
| desktop browsers in the last decade is anyone's guess.
|
| Because it's a bug not an intentional design choice. If
| you can provide a legitimate use case for being able to
| open 30 overlapping fullscreen videos from a single user
| click on a web site then you might have a some sort of
| argument.
|
| This doesn't work on desktop Safari thankfully, if it did
| you could make some argument they are sharing code and
| trying to make iOS more like a desktop OS with
| multitasking, but no again there is no reason to do this
| on any OS other than to crash users browsers.
| saagarjha wrote:
| > I've always suspected the video player is not built-in
| to the browser, but instead a separate and discrete
| application. I suspect this because every other
| application appears to have an identical video player.
| Maybe they're all sharing code, but more likely the video
| player is system-available to any application.
|
| It's provided in AVFoundation
| amendegree wrote:
| LesZedCB wrote:
| use it against them so sites can charge for a full ad watch,
| but they are hidden by the content that people actually want to
| watch.
| sp332 wrote:
| Where is the part that causes these videos to be full screen? I
| didn't see that in the HTML or JS.
| mmazzarolo wrote:
| The "play" method is enough to trigger the full screen --
| which, by the way, isn't really intuitive imho.
| judge2020 wrote:
| That's only if the video doesn't have the attribute
| `playsinline`.
| mnemnc wrote:
| That's at least the default behavior if not the only way to
| play video on iPhone's Safari. iPad Safari however supports
| non-fullscreen video playback.
| GranPC wrote:
| iOS Safari can play videos non-fullscreen with the
| playsinline or webkit-playsinline attributes. The fun thing
| though is that this attribute must be enabled manually on
| each web view, so if some other app is embedding your page
| and they didn't enable it, your videos will play fullscreen
| despite the attribute being set.
| happyopossum wrote:
| Fullscreen is definitely not the only way to play video on
| iOS safari...
| tinus_hn wrote:
| YouTube (the website) plays video in a frame just fine.
| londons_explore wrote:
| In general browser vendors don't care about DoS bugs like this.
|
| If a web page can do something that stops the browser responding
| or locks it up, the browser vendor won't fix it. They'll just say
| "well don't visit webpages that do that then".
| saagarjha wrote:
| This is definitely something browser vendors care about and
| design around.
| hbn wrote:
| I've discovered this while fighting another issue: if you long-
| press a link to a video file to try and save it to your device (I
| occasionally do this while ripping videos from Twitter), you get
| the long-press context menu you want (with the "download linked
| file" item) for like half a second before the full screen video
| covers up your whole screen, and when you swipe it away the
| context menu is gone.
|
| You literally have to race the video popup, and sometimes I just
| have to memorize the location on my phone's screen where the
| "download linked file" button will appear and have my finger
| ready over the spot because there's not enough time to scan over
| all the menu items.
| reaperducer wrote:
| _if you long-press a link to a video file to try and save it to
| your device (I occasionally do this while ripping videos from
| Twitter), you get the long-press context menu you want (with
| the "download linked file" item) for like half a second before
| the full screen video covers up your whole screen, and when you
| swipe it away the context menu is gone._
|
| Is it possible that this is related to the iOS link preview
| feature?
|
| When you long-press a link, do you get the full destination
| page preview? That might explain why the phone renders the
| page, including the video taking over.
|
| Long-press on another page link (like one here on HN), and you
| have a tiny option at the top-right for "Hide preview," select
| that. Then try another link that has a take-over video, and see
| if it no longer does that.
|
| If you hate video takeovers more than you like link previews,
| this might solve your problem.
| hbn wrote:
| That did indeed fix my issue, thank you!
|
| I don't recall ever using link previews very much. I suppose
| if I really need it I can toggle it on for that specific
| instance, but as it is it's not worth it for the video
| hijacking
| TechBro8615 wrote:
| FYI if you notice regressive behavior on YouTube in mobile
| Safari, eg unable to use the operating system's picture-in-
| picture mode, this is due to Google injecting a script to close
| the video when focus leaves the page.
|
| You can fix this bug by installing a Safari extension called
| Vinegar which will convert non-standard video containers to
| standard HTML5 video elements. As a bonus, this also prevents
| content injection by the malicious code that google sends to
| your browser to render content from third party advertisers on
| your device without your consent.
| 2fast4you wrote:
| Thank you! This makes YouTube usable again on my iPhone. Now
| if only I could get SponsorBlock...
| ehPReth wrote:
| Glad it's not just me! This has been bugging me for quite a
| while
| dutchbrit wrote:
| Ha, it's been bugging me for a long time too. Frustrating!
| hbn wrote:
| Turns out there is a solution! Check the sibling comment:
|
| https://news.ycombinator.com/item?id=31770188
| zagrebian wrote:
| Did anyone file a bug on https://bugs.webkit.org?
| happyopossum wrote:
| FWIW, on iOS 16 beta I only get one video window using this
| sample site - no crazy overlapping anything...
| mmazzarolo wrote:
| That's nice to hear. It really was a bug, then.
| Operyl wrote:
| You've got a weird config that seems to make it not happen to
| you then. On a fresh device, stock options, running beta 1 I
| still see this issue. It's not nearly as bad as it is in his
| video demo but it still exists.
| post_break wrote:
| This happens when you browse sites that are "cancer for mobile"
| when looking at NSFW things. Not that I would know anything about
| that.
| mike10921 wrote:
| Well if these websites were not doing it till now, we now have
| a great reference explaining how to do so. :)
| casefields wrote:
| Pirated sports streams too sometimes.
___________________________________________________________________
(page generated 2022-06-16 23:00 UTC)