[HN Gopher] Safari on iOS can overlap multiple full-screen videos ___________________________________________________________________ Safari on iOS can overlap multiple full-screen videos Author : mmazzarolo Score : 97 points Date : 2022-06-16 16:01 UTC (6 hours ago) (HTM) web link (mmazzarolo.com) (TXT) w3m dump (mmazzarolo.com) | influx wrote: | Did you report this to Apple? | mmazzarolo wrote: | I did not. I already wasted enough time and energy in the past | reporting a security vulnerability in Safari's CSP to know that | reporting it is not worth it. | imbnwa wrote: | HN/Tech industry social media part-times as a tracker anyway | aaaaaaaaaaab wrote: | It is well known that reporting anything to Apple is a waste of | time. | nojito wrote: | Based on what exactly? There have been a bunch of reported | bugs fixed in the last 24 hours. | | https://bugs.webkit.org/buglist.cgi?chfield=%5BBug%20creatio. | .. | saagarjha wrote: | Most of those are bugs filed by Apple employees to back the | commits they'd like to get merged. | theseobosscom wrote: | I recently experienced almost the same bug, I opened YouTube in a | normal tab and was able to play another video in a private tab | and both videos played simultaneously. | mh- wrote: | That feels like a bug worth independently filing. I'm not sure | what I expected the behavior of a private tab to be, when | "backgrounded" in favor of a normal one, but it's not that. | smoldesu wrote: | Definitely looks like the kind of bug I'd find exploited on early | Internet Explorer. Open a suspicious tab, get spammed with | fullscreen ads! Now _that 's_ thinking differently. | isodev wrote: | I have a project where this is a legitimate use case. Indeed, | Safari was the only browser where it was possible to implement | without trickeries... eventually the team managed to get a | version for Firefox snd chromiums as well (on desktop too). | Thorrez wrote: | What is the use case? | smoldesu wrote: | What is your legitimate use-case for opening multiple | overlapping fullscreen video players? | code_duck wrote: | The worst experience I've had on iOS, fairly recently, was | clicking on a search result and being redirected to a dodgy | website which displayed a "your phone has a virus!" pop up, | started attempting to call a phone number repeatedly, and | somehow corrupted the OS to where I saw a distorted version of | the left-hand slide menu from the home screen, could not go to | the home screen, close the app or reboot. I managed to reboot | through a different method but it's made me very wary of going | to random websites on my phone. | r00fus wrote: | I've never had this kind of experience for the past 14 years | on iOS. How could a website get access to call numbers | without interaction? | code_duck wrote: | I have encountered websites attempting to call a number, | but not repeatedly prior to that. I assume it's through | JavaScript, of course. | | It pops up an interface on the lower side of the screen | asking "do you want to dial this number?" or something like | that. This seems to be the relevant doc: https://developer. | apple.com/library/archive/featuredarticles... | Operyl wrote: | It's spamming the modal asking if you want to call x phone | number, probably. | code_duck wrote: | The corruption of the interface was the most disturbing | thing. It was showing the left-hand slide home screen | menu offset, overlapping with other elements, without any | ability to interact with it. It must be some sort of | memory corruption vulnerability, I assume. Apple did an | update a week or two later which addressed some sort of | zero day... So clearly I was wondering exactly how hacked | my phone might have been. I was able to reboot and it has | seems OK, but who knows. | Operyl wrote: | Apple addresses zero days and security related bugs every | single update, I wouldn't get paranoid about a visual | glitch on its own honestly. | code_duck wrote: | It prevented me from launching, switching or killing any | apps or rebooting the phone. The phone was entirely | unusable until I figured out how to reboot. That's more | than visual. My impression is that is was memory only, | but it was extremely suspicious. It's quite possible that | data was exfiltrated. | Operyl wrote: | Simply locking up Springboard with a DoS doesn't | necessarily mean your were breached on the device. It's | more likely that nothing came of it, exfiltrating data | would involve breaching a lot of sandboxing and we'd be | seeing a lot more chatter about that honestly. | code_duck wrote: | Sure, there's been no evidence of anything wrong since | then, either with my phone or related accounts. Apple did | fix a couple 0 days with more serious implications | shortly after this, but it's not as if I or a random | search result website would be worth someone using a 0 | day. | Maursault wrote: | A bug is an error in source code that causes a program to | produce unexpected results or crash altogether, i.e. something | that doesn't work, something broken; the user initiates an | action, the action fails or program crashes. That isn't what | this is. This is the user intentionally opening multiple | overlapping fullscreen videos. You can make a computer saturate | its processor indefinitely with a while-loop, but doesn't make | it a bug. | mmazzarolo wrote: | I would still consider a missing safety check (like in this | case, to check if there's already a full screen video open) | as a bug. | Maursault wrote: | And I'd agree, except that this behavior _is an advertised | feature_ of the of the system, iow, if you open multiple | fullscreen videos, you should expect to see what is seen as | opposed to Safari crashing or the system crashing. | Thorrez wrote: | Where is it advertised? | Maursault wrote: | Back in 2010 with the release of iOS 4 and it's | multitasking feature, and probably also in 2020 with iOS | 14's Picture in Picture mode. | Thorrez wrote: | Hmm, is opening a fullscreen video considered opening a | new application, or is it considered a single application | (the browser) displaying different content? I thought it | was the second case, so multitasking I don't think | applies. Same for desktop chrome, when it shows a | fullscreen video, that's not a new application, just the | browser displaying content in a new way. | | For picture in picture mode, I don't think multiple | fullscreen videos should be a valid configuration of | picture in picture. | function_seven wrote: | The user isn't the one intentionally opening these | overlapping videos. The site they're visiting is making that | request, and the browser is honoring it. | | This is a bug. These are unexpected results! And as the | article notes, "sometimes this behavior makes Safari crash." | | So a website can make your browser crash by getting it to do | something nonsensical (opening 30 overlapping full screen | videos), without your forewarning that this could happen. | | You can quibble and say it's a "misfeature" or similar, but | I'm not sure that means much. | Maursault wrote: | > The user isn't the one intentionally opening these | overlapping videos. | | Yes, he absolutely is, and the proof is | | > So here's a tiny web page I created to play with it. | | What OP is reporting is more accurately described as a | possible memory overflow exploit. The software appears to | be operating as designed, but a malicious attacker might be | able to exploit the behavior to do bad things, though this | is not exactly _necessarily_ true, and we won 't know until | we see it happen. | SigmundA wrote: | >Yes, he absolutely is, and the proof is | | No they aren't there is a button that the user clicks | that runs code to play multiple overlapping videos. This | serves no conceivable purpose and can cause the browser | to crash, it is a bug. | | The reason it works is the code is run from a user | action, the problem is after the first video play the | browser should no longer consider the subsequent plays a | user action, or it should only play the last video and | cleanup the now overlapped previous video. | Maursault wrote: | You're talking about design choices, not errors or | software bugs. You have a design preference that more | than one fullscreen video should not be permitted. But | this is entirely an arbitrary preference. There is | absolutely nothing inherently wrong (ethically or design- | wise) with multiple overlapping fullscreen videos, though | the OP is describing a very particular case that is | strange, which is having multiple instances of the same | video playing fullscreen. It's still not a bug. This is | interface design. | function_seven wrote: | > _You have a design preference that more than one | fullscreen video should not be permitted._ | | I think this is where you and I are talking past each | other. I'm not saying that multiple videos shouldn't be | allowed. That's not the problem here. | | The problem is that Safari has a mechanism to ensure that | the user wants a video to play. That mechanism looks for | some UI action on the user's part before it will allow a | site to launch the video player. With this new multiple- | video feature, that mechanism is now broken. It'll say, | "Hey you want to play this video? Yeah, ok, I will allow | it, _and any other video the site wants to spam you with | now_. " | | That italicized part is the bug. It shouldn't assume the | UI action applies to an arbitrary number of separate | videos. | | The video player is fine. That's the design choice. The | Safari code not accounting for that is the bug. | jaywalk wrote: | The person who created the web page is the user? I think | you've got that backwards. | stonemetal12 wrote: | He found a bug and made a proof of concept webpage to | demonstrate it. So when he talks about it he is both the | user and the author of the web page. In general You | wouldn't expect them to be the same person. | function_seven wrote: | This is weird. Okay, so it may not be a software bug at | all, but I'm gonna move these goalposts and insist this | is a product design bug, or something. | | If this is intentional behavior, I don't understand the | point. A full-screen video should be the only one playing | IMO. Playing multiple (windowed) videos is one thing, but | having 30 of them overlap full screen is quite another. | And with no affordances to mass-terminate them, the | result is unwanted behavior. | | So: not a bug in the "off-by-one" or "use-after-free" | sense, but damn if it ain't a close cousin. | Maursault wrote: | > Playing multiple (windowed) videos is one thing, but | having 30 of them overlap full screen is quite another. | | Behavior can be duplicated on any modern computer, i.e. | you can have as many overlapping fullscreen windows as | memory will tolerate, probably thousands and much more | than that. Why would anyone want to do that? To cry | "bug," I imagine. | | It may not be intentional design, but my point is that | _this is not a bug,_ by the definition of what a bug is. | There is no actual error here. The code is operating as | expected. There may be issues with the interface design, | but there also very well may not be. | bentcorner wrote: | > It may not be intentional design, but my point is that | this is not a bug, by the definition of what a bug is. | There is no actual error here. The code is operating as | expected. There may be issues with the interface design, | but there also very well may not be. | | Is this a useful distinction? The user expects something, | the designer expects something different. Just the other | day I read about Jeep's Monostable Shifter | (https://www.youtube.com/watch?v=jD1-aQSO5Hg) and how it | was attributed to people getting hurt or dying. It's | operating exactly as designed and intended but was still | recalled. | function_seven wrote: | > _The code is operating as expected_ | | I highly doubt this. When Apple rolled out multiple video | support, they did not expect that a random website could | --having gained permission to spawn one video player-- | reuse that blessing 29 more times. | | The browser will prevent auto-playing videos from | spawning absent a user interaction. This is a feature | that prevents pop-up hell. With this change, they failed | to update the "make sure user is cool with this" code. | | It's a regression, and will be fixed in an update or I | eat my hat. | | Again, I know this isn't some "error found on line 384 of | vid.cpp" or whatever, but it's definitely not the way | Apple wants this to work. | | My desktop browsers won't do this, nor any other browser | I've used in the past 10 years. | Maursault wrote: | Design choices, that's all. | | mobile Safari is a little different than desktop | browsers. It uses the same engine as desktop Safari, but | I've always suspected the video player is not built-in to | the browser, but instead a separate and discrete | application. I suspect this because every other | application appears to have an identical video player. | Maybe they're all sharing code, but more likely the video | player is system-available to any application. But | running multiple instances of that video player on iOS is | academic. Why you're not able to duplicate this in any of | your desktop browsers in the last decade is anyone's | guess. | SigmundA wrote: | >Why you're not able to duplicate this in any of your | desktop browsers in the last decade is anyone's guess. | | Because it's a bug not an intentional design choice. If | you can provide a legitimate use case for being able to | open 30 overlapping fullscreen videos from a single user | click on a web site then you might have a some sort of | argument. | | This doesn't work on desktop Safari thankfully, if it did | you could make some argument they are sharing code and | trying to make iOS more like a desktop OS with | multitasking, but no again there is no reason to do this | on any OS other than to crash users browsers. | saagarjha wrote: | > I've always suspected the video player is not built-in | to the browser, but instead a separate and discrete | application. I suspect this because every other | application appears to have an identical video player. | Maybe they're all sharing code, but more likely the video | player is system-available to any application. | | It's provided in AVFoundation | amendegree wrote: | LesZedCB wrote: | use it against them so sites can charge for a full ad watch, | but they are hidden by the content that people actually want to | watch. | sp332 wrote: | Where is the part that causes these videos to be full screen? I | didn't see that in the HTML or JS. | mmazzarolo wrote: | The "play" method is enough to trigger the full screen -- | which, by the way, isn't really intuitive imho. | judge2020 wrote: | That's only if the video doesn't have the attribute | `playsinline`. | mnemnc wrote: | That's at least the default behavior if not the only way to | play video on iPhone's Safari. iPad Safari however supports | non-fullscreen video playback. | GranPC wrote: | iOS Safari can play videos non-fullscreen with the | playsinline or webkit-playsinline attributes. The fun thing | though is that this attribute must be enabled manually on | each web view, so if some other app is embedding your page | and they didn't enable it, your videos will play fullscreen | despite the attribute being set. | happyopossum wrote: | Fullscreen is definitely not the only way to play video on | iOS safari... | tinus_hn wrote: | YouTube (the website) plays video in a frame just fine. | londons_explore wrote: | In general browser vendors don't care about DoS bugs like this. | | If a web page can do something that stops the browser responding | or locks it up, the browser vendor won't fix it. They'll just say | "well don't visit webpages that do that then". | saagarjha wrote: | This is definitely something browser vendors care about and | design around. | hbn wrote: | I've discovered this while fighting another issue: if you long- | press a link to a video file to try and save it to your device (I | occasionally do this while ripping videos from Twitter), you get | the long-press context menu you want (with the "download linked | file" item) for like half a second before the full screen video | covers up your whole screen, and when you swipe it away the | context menu is gone. | | You literally have to race the video popup, and sometimes I just | have to memorize the location on my phone's screen where the | "download linked file" button will appear and have my finger | ready over the spot because there's not enough time to scan over | all the menu items. | reaperducer wrote: | _if you long-press a link to a video file to try and save it to | your device (I occasionally do this while ripping videos from | Twitter), you get the long-press context menu you want (with | the "download linked file" item) for like half a second before | the full screen video covers up your whole screen, and when you | swipe it away the context menu is gone._ | | Is it possible that this is related to the iOS link preview | feature? | | When you long-press a link, do you get the full destination | page preview? That might explain why the phone renders the | page, including the video taking over. | | Long-press on another page link (like one here on HN), and you | have a tiny option at the top-right for "Hide preview," select | that. Then try another link that has a take-over video, and see | if it no longer does that. | | If you hate video takeovers more than you like link previews, | this might solve your problem. | hbn wrote: | That did indeed fix my issue, thank you! | | I don't recall ever using link previews very much. I suppose | if I really need it I can toggle it on for that specific | instance, but as it is it's not worth it for the video | hijacking | TechBro8615 wrote: | FYI if you notice regressive behavior on YouTube in mobile | Safari, eg unable to use the operating system's picture-in- | picture mode, this is due to Google injecting a script to close | the video when focus leaves the page. | | You can fix this bug by installing a Safari extension called | Vinegar which will convert non-standard video containers to | standard HTML5 video elements. As a bonus, this also prevents | content injection by the malicious code that google sends to | your browser to render content from third party advertisers on | your device without your consent. | 2fast4you wrote: | Thank you! This makes YouTube usable again on my iPhone. Now | if only I could get SponsorBlock... | ehPReth wrote: | Glad it's not just me! This has been bugging me for quite a | while | dutchbrit wrote: | Ha, it's been bugging me for a long time too. Frustrating! | hbn wrote: | Turns out there is a solution! Check the sibling comment: | | https://news.ycombinator.com/item?id=31770188 | zagrebian wrote: | Did anyone file a bug on https://bugs.webkit.org? | happyopossum wrote: | FWIW, on iOS 16 beta I only get one video window using this | sample site - no crazy overlapping anything... | mmazzarolo wrote: | That's nice to hear. It really was a bug, then. | Operyl wrote: | You've got a weird config that seems to make it not happen to | you then. On a fresh device, stock options, running beta 1 I | still see this issue. It's not nearly as bad as it is in his | video demo but it still exists. | post_break wrote: | This happens when you browse sites that are "cancer for mobile" | when looking at NSFW things. Not that I would know anything about | that. | mike10921 wrote: | Well if these websites were not doing it till now, we now have | a great reference explaining how to do so. :) | casefields wrote: | Pirated sports streams too sometimes. ___________________________________________________________________ (page generated 2022-06-16 23:00 UTC)