[SECURITY BREACH] Screen lock never engages because of Browser Wake Lock API...

[madscientist42]

Distribution (run cat /etc/os-release):
Pop!_OS 22.04 LTS

Related Application and/or Package Version (run apt policy $PACKAGE NAME):

firefox:
Installed: 1:132.0.1173075900322.04b356c99
Candidate: 1:133.0.3173385139422.043dc2189
Version table:
1:133.0.3173385139422.043dc2189 1001
1001 http://apt.pop-os.org/release jammy/main amd64 Packages
*** 1:132.0.1173075900322.04b356c99 100
100 /var/lib/dpkg/status
1:1snap1-0ubuntu2 500
500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages

Issue/Bug Description:

Classic security failure. If you're on a website that has permissions to do Screen Wake Locks, say like YouTube, Netflix, X, or Facebook, the screen saver never engages. Since the timing and control of the screen lock engage is tied to screen-blank on the OS, it never engages, meaning that your machine is compromised if you step away from the machine and any of those classes of websites are on a tab on the browser.

This is especially bad for things that MUST have security policies abided by. There needs to be a means to which you can exlplicitly lock the system down and this is a massive backdoor for everyone to be blunt- it doesn't need to mandate everyone remembering to force it into screen lock for it to be secure.

Steps to reproduce (if you know):

Simple. Surf to any of the above mentioned websites.

Expected behavior:

With screen locking turned on, it should lock the system's console up tighter than a drum, regardless of what the browser asks for. You should have a mitigation for this ill-adivised behavior by the Browser devs.

Other Notes:

[mmstick]

Given that this is an intentional behavior of the web browser, and it's operating as intended there, you can always change the behavior if you don't want this. In Firefox, go to about:config and change dom.screenwakelock.enabled to false.