On my university’s website, there is a post login security check from Duo Security that just loads an iFrame once you enter your password, does whatever the hell it does, and apparently verifies that your login is legit (somehow).
But it only works when I’m on the current tab. If I log in and then switch to a different tab, it does nothing. If you switch back after a little bit, it will continue doing its thing as soon as you do, but wait too long and the session expires and you have to enter your credentials again.
Is it using some JS API to know whether I’m on its tab or not, or is it doing something even weirder? Is it possible to make Firefox report to every open page that I’m always on its tab, even when I’m not?
Yes, and they have for a while: https://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_API
It’s meant as a way to optimize the page when not in use but a sufficiently motivated entity could easily use it to measure your attentiveness to the content. I don’t personally know of any extensions that disable this but it does require JS, so noscript would stop it (but likely also break most of the web for you)
It’s been possible for much longer, using
window.onblurThis new API may be somewhat smarter (for example, onblur is triggered even if you change to a new window with the original webpage open behind it)
This addon blocks the Page Visibility API: https://addons.mozilla.org/en-GB/firefox/addon/disable-page-visibility/
