Disable context help in secure screen to avoid a security exploit. #13353
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to issue number:
None
Can be considered a follow-up of #13059.
Summary of the issue:
If you open NVDA parameter from secure screen and press F1, context help opens in Internet explorer.
I am not an expert in security but I think that it's not secure to have access to the browser from secure screen.
More specifically, via the browser open dialog, I am able to open any file in notepad and modify it, e.g. allowing me to activate NVDA console.
Description of how this pull request fixes the issue:
Since context help is displayed in a browser, disable it on secure screen.
Testing strategy:
Manual testing
Test 1
Simulate secure screen and checked that context help is not available anymore (nothing happens):
import globalVars;globalVars.appArgs.secure = True
Test 2
Checked that context help is still working in normal mode:
Known issues with pull request:
Context help is not available anymore on secure screen.
If this is a need, we may open an issue for it and try to address it later.
But I think that the security concern should be addressed first and should not wait for a solution to have context help on secure screen.
Change log entries:
Changes
In the existing change log, replace:
- Security fix: The addons manager dialog is now disabled on secure screens. (#13059)
by:
- Security fixes: The addons manager dialog and context help are now disabled on secure screens. (#13059, #13353)
Additional note
I think
ui.browseableMessage
is also based on a browser. Is there any security concern allowing it on secure screen?I have not been able to do anything from it since there is no menu or shortcut to do anything it this windows.
Just mentionning it in case someone knows more than I on this topic.
Code Review Checklist: