Modal dialogs and other things that steal keyboard focus are dangerous

May 27, 2022

Over on Twitter I said some things:

Focus stealing dialogs are actively dangerous. An Ubuntu 22.04 Cinnamon session flashed a dialog up for less than half a second because I was in the process of typing, so it stole focus, stole my keyboard input, decided to accept something, and disappeared.

What did I just do or agree to or accept or whatever in that desktop session? I have no idea and no way to find out. I sure hope it wasn't important, damaging or both.

Worse, what I was typing when Ubuntu 22.04 Cinnamon's focus-stealing dialog stole some of my keystrokes was important and didn't tolerate having a chunk of input removed. There are lots of contexts like this in Unix, such as editors (Vim commands are a classic).

Obviously this is bad on both sides. If the people who created the dialog wanted me to make an intelligent, informed choice about whatever they were asking me about, they failed; instead I made some blind choice triggered by unknown keystrokes. In retrospect, it seems likely that my keystrokes included a Return that accepted the default option of the dialog, and my other keystrokes were ignored, but it's possible that something else happened (since there's a certain amount of keyboard navigation of things these days). And I have no idea what the dialog was about and what effects it had, which leaves me alarmed, uncertain, and unhappy.

(In addition, the input the dialog may capture may contain sensitive information, for example if you're typing a password when the dialog pops up. It's not difficult to imagine ways that your typed text would be captured; consider a dialog with a single text field that's finished when you hit Return.)

On the non-dialog side of things, removing the middle of a chunk of input you're giving to a program is rarely a harmless activity. If you're lucky, things fail cleanly; if you're unlucky (for example in Vim command mode), what remains may have wide-ranging unintended consequences. Either way, your activity has been disrupted. As a system administrator I feel unusually strongly about this because I periodically type input into sensitive and dangerous contexts, where unintended actions can have severe consequences. But there are a lot of places where this can happen and a lot of ways for work to get damaged.

In the modern browser-based world, desktop modal dialog popups are far from the only place this can happen. With Javascript and other things, web pages (and web applications) are just as capable of hijacking keyboard focus and redirecting your input somewhere unexpected, and then doing a wide range of unwanted actions with however the stolen keyboard input was interpreted. And on the other side, if you're using a web application that believes in keyboard shortcuts that can trigger damaging actions, such a temporary redirection (or the end of it) might be especially dangerous. As an example that's relevant to us, Grafana dashboards come loaded with keyboard shortcuts, some of them very dangerous. Even 'plain' websites are potentially dangerous; Github has plenty of keyboard shortcuts, for example.

(I know, this is pretty much preaching to the crowd. But perhaps some of my readers are involved in web pages and web applications, and you might want to consider this (from either side, whichever is applicable to you).)

Written on 27 May 2022.
« Stopping an Ubuntu 22.04 desktop from suspending at the login screen
It's a bit risky to give people access to your Prometheus Blackbox exporter »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri May 27 22:05:47 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.