Re: Forever reminded to hit ESC to exit fullscreen

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Jared Wein
Including dev-media and dev-security.

On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <[hidden email]>
wrote:

> Chris wrote:
>
> After quite a while of watching HTML 5 video content in fullscreen, I'm
> getting a bit tired of being reminded with a huge banner at the top that
> yes, I can still hit ESC to exit fullscreen mode. For those like myself
> that have gotten tired of seeing this message, could there possibly be an
> option somewhere (maybe in about:config) that allows the user to turn them
> off? It's been years now. What do you think?
>
> OMG yes please. I know how to get out of full screen mode. Make the
> reminders stop! :)
>
> --
>
> Eric Shepherd
> Senior Technical Writer
> Mozilla <https://www.mozilla.org/>
> Blog: http://www.bitstampede.com/
> Twitter: http://twitter.com/sheppy
> Check my Availability <https://freebusy.io/eshepherd@...>
>
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Brian Smith-19
IIUC, the reminder is supposed to go away after a few seconds. However, I
have experienced the case, many times, where the reminder stays on screen
for the entire video. IIRC, if I restart the browser and replay the same
video again, then the reminder goes away.

HTH,
Brian

On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:

> Including dev-media and dev-security.
>
> On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <[hidden email]>
> wrote:
>
> > Chris wrote:
> >
> > After quite a while of watching HTML 5 video content in fullscreen, I'm
> > getting a bit tired of being reminded with a huge banner at the top that
> > yes, I can still hit ESC to exit fullscreen mode. For those like myself
> > that have gotten tired of seeing this message, could there possibly be an
> > option somewhere (maybe in about:config) that allows the user to turn
> them
> > off? It's been years now. What do you think?
> >
> > OMG yes please. I know how to get out of full screen mode. Make the
> > reminders stop! :)
> >
> > --
> >
> > Eric Shepherd
> > Senior Technical Writer
> > Mozilla <https://www.mozilla.org/>
> > Blog: http://www.bitstampede.com/
> > Twitter: http://twitter.com/sheppy
> > Check my Availability <https://freebusy.io/eshepherd@...>
> >
> > _______________________________________________
> > firefox-dev mailing list
> > [hidden email]
> > https://mail.mozilla.org/listinfo/firefox-dev
> >
> >
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>



--
https://briansmith.org/
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Richard Barnes
This prompt is an important part of the security story for fullscreen.
Since a fullscreen web app can hijack your entire browsing session, it's
important that the user know that he's entering fullscreen and not looking
at an actual browser window -- and to know that every time something goes
fullscreen.  So if we're going to back off of displaying the prompt every
time, we need to be clear that we're assuming that the user can make this
distinction.

That honestly seems like a bad deal to me.  If the prompt stays up (as
Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
for each fullscreen transition seems like a small price.

--Richard

On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]> wrote:

> IIUC, the reminder is supposed to go away after a few seconds. However, I
> have experienced the case, many times, where the reminder stays on screen
> for the entire video. IIRC, if I restart the browser and replay the same
> video again, then the reminder goes away.
>
> HTH,
> Brian
>
> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:
>
> > Including dev-media and dev-security.
> >
> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <[hidden email]>
> > wrote:
> >
> > > Chris wrote:
> > >
> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
> > > getting a bit tired of being reminded with a huge banner at the top
> that
> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
> > > that have gotten tired of seeing this message, could there possibly be
> an
> > > option somewhere (maybe in about:config) that allows the user to turn
> > them
> > > off? It's been years now. What do you think?
> > >
> > > OMG yes please. I know how to get out of full screen mode. Make the
> > > reminders stop! :)
> > >
> > > --
> > >
> > > Eric Shepherd
> > > Senior Technical Writer
> > > Mozilla <https://www.mozilla.org/>
> > > Blog: http://www.bitstampede.com/
> > > Twitter: http://twitter.com/sheppy
> > > Check my Availability <https://freebusy.io/eshepherd@...>
> > >
> > > _______________________________________________
> > > firefox-dev mailing list
> > > [hidden email]
> > > https://mail.mozilla.org/listinfo/firefox-dev
> > >
> > >
> > _______________________________________________
> > dev-security mailing list
> > [hidden email]
> > https://lists.mozilla.org/listinfo/dev-security
> >
>
>
>
> --
> https://briansmith.org/
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Gavin Sharp-3
> But a 2-3 second box for each fullscreen transition seems like a
> small price.

Seems like a pretty large price to me, given a combination of factors:
- significant added friction to a common user action ("start watching
this video in fullscreen")
- low likelihood that the type of attack this mitigates ("fullscreen
spoofing") is successful even without any mitigation, and the
relatively high cost/benefit ratio for such an attack
- low likelihood that it usefully mitigates a sophisticated attack of this sort
- low rate of abuse of pre-existing equivalent functionality (e.g.
Flash's fullscreen)

Gavin

On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]> wrote:

> This prompt is an important part of the security story for fullscreen.
> Since a fullscreen web app can hijack your entire browsing session, it's
> important that the user know that he's entering fullscreen and not looking
> at an actual browser window -- and to know that every time something goes
> fullscreen.  So if we're going to back off of displaying the prompt every
> time, we need to be clear that we're assuming that the user can make this
> distinction.
>
> That honestly seems like a bad deal to me.  If the prompt stays up (as
> Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
> for each fullscreen transition seems like a small price.
>
> --Richard
>
> On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]> wrote:
>
>> IIUC, the reminder is supposed to go away after a few seconds. However, I
>> have experienced the case, many times, where the reminder stays on screen
>> for the entire video. IIRC, if I restart the browser and replay the same
>> video again, then the reminder goes away.
>>
>> HTH,
>> Brian
>>
>> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:
>>
>> > Including dev-media and dev-security.
>> >
>> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <[hidden email]>
>> > wrote:
>> >
>> > > Chris wrote:
>> > >
>> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>> > > getting a bit tired of being reminded with a huge banner at the top
>> that
>> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>> > > that have gotten tired of seeing this message, could there possibly be
>> an
>> > > option somewhere (maybe in about:config) that allows the user to turn
>> > them
>> > > off? It's been years now. What do you think?
>> > >
>> > > OMG yes please. I know how to get out of full screen mode. Make the
>> > > reminders stop! :)
>> > >
>> > > --
>> > >
>> > > Eric Shepherd
>> > > Senior Technical Writer
>> > > Mozilla <https://www.mozilla.org/>
>> > > Blog: http://www.bitstampede.com/
>> > > Twitter: http://twitter.com/sheppy
>> > > Check my Availability <https://freebusy.io/eshepherd@...>
>> > >
>> > > _______________________________________________
>> > > firefox-dev mailing list
>> > > [hidden email]
>> > > https://mail.mozilla.org/listinfo/firefox-dev
>> > >
>> > >
>> > _______________________________________________
>> > dev-security mailing list
>> > [hidden email]
>> > https://lists.mozilla.org/listinfo/dev-security
>> >
>>
>>
>>
>> --
>> https://briansmith.org/
>> _______________________________________________
>> dev-security mailing list
>> [hidden email]
>> https://lists.mozilla.org/listinfo/dev-security
>>
> _______________________________________________
> dev-media mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-media
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Eric Rescorla
On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[hidden email]> wrote:

> > But a 2-3 second box for each fullscreen transition seems like a
> > small price.
>
> Seems like a pretty large price to me, given a combination of factors:
> - significant added friction to a common user action ("start watching
> this video in fullscreen")
> - low likelihood that the type of attack this mitigates ("fullscreen
> spoofing") is successful even without any mitigation, and the
> relatively high cost/benefit ratio for such an attack
> - low likelihood that it usefully mitigates a sophisticated attack of this
> sort
>

Can you please point to some supporting documentation for these claims?

-Ekr

- low rate of abuse of pre-existing equivalent functionality (e.g.
> Flash's fullscreen)




>
>
Gavin

>
> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]>
> wrote:
> > This prompt is an important part of the security story for fullscreen.
> > Since a fullscreen web app can hijack your entire browsing session, it's
> > important that the user know that he's entering fullscreen and not
> looking
> > at an actual browser window -- and to know that every time something goes
> > fullscreen.  So if we're going to back off of displaying the prompt every
> > time, we need to be clear that we're assuming that the user can make this
> > distinction.
> >
> > That honestly seems like a bad deal to me.  If the prompt stays up (as
> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
> > for each fullscreen transition seems like a small price.
> >
> > --Richard
> >
> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]>
> wrote:
> >
> >> IIUC, the reminder is supposed to go away after a few seconds. However,
> I
> >> have experienced the case, many times, where the reminder stays on
> screen
> >> for the entire video. IIRC, if I restart the browser and replay the same
> >> video again, then the reminder goes away.
> >>
> >> HTH,
> >> Brian
> >>
> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:
> >>
> >> > Including dev-media and dev-security.
> >> >
> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
> [hidden email]>
> >> > wrote:
> >> >
> >> > > Chris wrote:
> >> > >
> >> > > After quite a while of watching HTML 5 video content in fullscreen,
> I'm
> >> > > getting a bit tired of being reminded with a huge banner at the top
> >> that
> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like
> myself
> >> > > that have gotten tired of seeing this message, could there possibly
> be
> >> an
> >> > > option somewhere (maybe in about:config) that allows the user to
> turn
> >> > them
> >> > > off? It's been years now. What do you think?
> >> > >
> >> > > OMG yes please. I know how to get out of full screen mode. Make the
> >> > > reminders stop! :)
> >> > >
> >> > > --
> >> > >
> >> > > Eric Shepherd
> >> > > Senior Technical Writer
> >> > > Mozilla <https://www.mozilla.org/>
> >> > > Blog: http://www.bitstampede.com/
> >> > > Twitter: http://twitter.com/sheppy
> >> > > Check my Availability <https://freebusy.io/eshepherd@...>
> >> > >
> >> > > _______________________________________________
> >> > > firefox-dev mailing list
> >> > > [hidden email]
> >> > > https://mail.mozilla.org/listinfo/firefox-dev
> >> > >
> >> > >
> >> > _______________________________________________
> >> > dev-security mailing list
> >> > [hidden email]
> >> > https://lists.mozilla.org/listinfo/dev-security
> >> >
> >>
> >>
> >>
> >> --
> >> https://briansmith.org/
> >> _______________________________________________
> >> dev-security mailing list
> >> [hidden email]
> >> https://lists.mozilla.org/listinfo/dev-security
> >>
> > _______________________________________________
> > dev-media mailing list
> > [hidden email]
> > https://lists.mozilla.org/listinfo/dev-media
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Chris Hofmann-2
On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[hidden email]> wrote:

>
>
> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[hidden email]> wrote:
>
>> > But a 2-3 second box for each fullscreen transition seems like a
>> > small price.
>>
>> Seems like a pretty large price to me, given a combination of factors:
>> - significant added friction to a common user action ("start watching
>> this video in fullscreen")
>> - low likelihood that the type of attack this mitigates ("fullscreen
>> spoofing") is successful even without any mitigation, and the
>> relatively high cost/benefit ratio for such an attack
>>
>
Not sure if I understand the point you are trying to make with this and the
next item below.

Are you saying that there is high cost to building such an attack and low
benefit to the attacker?

Are you suggesting that a small level of defense is worthless to its better
to just get rid of all the defenses?

Good reading from a few years ago, with the proof of concept to go along
with it.
http://feross.org/html5-fullscreen-api-attack/

The "full screen browser mode" to "full screen video" is an interesting
scenario.

What's the likelihood of increased targeted attacks against firefox it we
remove or reduce the defenses?

-chofmann



> - low likelihood that it usefully mitigates a sophisticated attack of this
>> sort
>>
>
> Can you please point to some supporting documentation for these claims?
>
> -Ekr
>
> - low rate of abuse of pre-existing equivalent functionality (e.g.
>> Flash's fullscreen)
>
>
>
>
>>
>>
> Gavin
>>
>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]>
>> wrote:
>> > This prompt is an important part of the security story for fullscreen.
>> > Since a fullscreen web app can hijack your entire browsing session, it's
>> > important that the user know that he's entering fullscreen and not
>> looking
>> > at an actual browser window -- and to know that every time something
>> goes
>> > fullscreen.  So if we're going to back off of displaying the prompt
>> every
>> > time, we need to be clear that we're assuming that the user can make
>> this
>> > distinction.
>> >
>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second
>> box
>> > for each fullscreen transition seems like a small price.
>> >
>> > --Richard
>> >
>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]>
>> wrote:
>> >
>> >> IIUC, the reminder is supposed to go away after a few seconds.
>> However, I
>> >> have experienced the case, many times, where the reminder stays on
>> screen
>> >> for the entire video. IIRC, if I restart the browser and replay the
>> same
>> >> video again, then the reminder goes away.
>> >>
>> >> HTH,
>> >> Brian
>> >>
>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:
>> >>
>> >> > Including dev-media and dev-security.
>> >> >
>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
>> [hidden email]>
>> >> > wrote:
>> >> >
>> >> > > Chris wrote:
>> >> > >
>> >> > > After quite a while of watching HTML 5 video content in
>> fullscreen, I'm
>> >> > > getting a bit tired of being reminded with a huge banner at the top
>> >> that
>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like
>> myself
>> >> > > that have gotten tired of seeing this message, could there
>> possibly be
>> >> an
>> >> > > option somewhere (maybe in about:config) that allows the user to
>> turn
>> >> > them
>> >> > > off? It's been years now. What do you think?
>> >> > >
>> >> > > OMG yes please. I know how to get out of full screen mode. Make the
>> >> > > reminders stop! :)
>> >> > >
>> >> > > --
>> >> > >
>> >> > > Eric Shepherd
>> >> > > Senior Technical Writer
>> >> > > Mozilla <https://www.mozilla.org/>
>> >> > > Blog: http://www.bitstampede.com/
>> >> > > Twitter: http://twitter.com/sheppy
>> >> > > Check my Availability <https://freebusy.io/eshepherd@...>
>> >> > >
>> >> > > _______________________________________________
>> >> > > firefox-dev mailing list
>> >> > > [hidden email]
>> >> > > https://mail.mozilla.org/listinfo/firefox-dev
>> >> > >
>> >> > >
>> >> > _______________________________________________
>> >> > dev-security mailing list
>> >> > [hidden email]
>> >> > https://lists.mozilla.org/listinfo/dev-security
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> https://briansmith.org/
>> >> _______________________________________________
>> >> dev-security mailing list
>> >> [hidden email]
>> >> https://lists.mozilla.org/listinfo/dev-security
>> >>
>> > _______________________________________________
>> > dev-media mailing list
>> > [hidden email]
>> > https://lists.mozilla.org/listinfo/dev-media
>> _______________________________________________
>> firefox-dev mailing list
>> [hidden email]
>> https://mail.mozilla.org/listinfo/firefox-dev
>>
>
>
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Gavin Sharp-3
I'm not making any statement as asinine as "there's no point worrying about
security", and it's frustrating that that's something I would even have to
clarify.

Richard stated he thought the current solution had a "small price" and I
disagreed with him.

This boils down to a classic security/usability tradeoff. Those tradeoffs
are ultimately matters of opinion, not fact, and need to be made by
estimating what is likely in addition to understanding what is possible.

None of us are the product owners responsible for making that tradeoff, so
having stated my opinion I'll defer to them.

Gavin

On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann <[hidden email]> wrote:

>
>
> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[hidden email]> wrote:
>
>>
>>
>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[hidden email]>
>> wrote:
>>
>>> > But a 2-3 second box for each fullscreen transition seems like a
>>> > small price.
>>>
>>> Seems like a pretty large price to me, given a combination of factors:
>>> - significant added friction to a common user action ("start watching
>>> this video in fullscreen")
>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>> spoofing") is successful even without any mitigation, and the
>>> relatively high cost/benefit ratio for such an attack
>>>
>>
> Not sure if I understand the point you are trying to make with this and
> the next item below.
>
> Are you saying that there is high cost to building such an attack and low
> benefit to the attacker?
>
> Are you suggesting that a small level of defense is worthless to its
> better to just get rid of all the defenses?
>
> Good reading from a few years ago, with the proof of concept to go along
> with it.
> http://feross.org/html5-fullscreen-api-attack/
>
> The "full screen browser mode" to "full screen video" is an interesting
> scenario.
>
> What's the likelihood of increased targeted attacks against firefox it we
> remove or reduce the defenses?
>
> -chofmann
>
>
>
>> - low likelihood that it usefully mitigates a sophisticated attack of
>>> this sort
>>>
>>
>> Can you please point to some supporting documentation for these claims?
>>
>> -Ekr
>>
>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>> Flash's fullscreen)
>>
>>
>>
>>
>>>
>>>
>> Gavin
>>>
>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]>
>>> wrote:
>>> > This prompt is an important part of the security story for fullscreen.
>>> > Since a fullscreen web app can hijack your entire browsing session,
>>> it's
>>> > important that the user know that he's entering fullscreen and not
>>> looking
>>> > at an actual browser window -- and to know that every time something
>>> goes
>>> > fullscreen.  So if we're going to back off of displaying the prompt
>>> every
>>> > time, we need to be clear that we're assuming that the user can make
>>> this
>>> > distinction.
>>> >
>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second
>>> box
>>> > for each fullscreen transition seems like a small price.
>>> >
>>> > --Richard
>>> >
>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]>
>>> wrote:
>>> >
>>> >> IIUC, the reminder is supposed to go away after a few seconds.
>>> However, I
>>> >> have experienced the case, many times, where the reminder stays on
>>> screen
>>> >> for the entire video. IIRC, if I restart the browser and replay the
>>> same
>>> >> video again, then the reminder goes away.
>>> >>
>>> >> HTH,
>>> >> Brian
>>> >>
>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]>
>>> wrote:
>>> >>
>>> >> > Including dev-media and dev-security.
>>> >> >
>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
>>> [hidden email]>
>>> >> > wrote:
>>> >> >
>>> >> > > Chris wrote:
>>> >> > >
>>> >> > > After quite a while of watching HTML 5 video content in
>>> fullscreen, I'm
>>> >> > > getting a bit tired of being reminded with a huge banner at the
>>> top
>>> >> that
>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like
>>> myself
>>> >> > > that have gotten tired of seeing this message, could there
>>> possibly be
>>> >> an
>>> >> > > option somewhere (maybe in about:config) that allows the user to
>>> turn
>>> >> > them
>>> >> > > off? It's been years now. What do you think?
>>> >> > >
>>> >> > > OMG yes please. I know how to get out of full screen mode. Make
>>> the
>>> >> > > reminders stop! :)
>>> >> > >
>>> >> > > --
>>> >> > >
>>> >> > > Eric Shepherd
>>> >> > > Senior Technical Writer
>>> >> > > Mozilla <https://www.mozilla.org/>
>>> >> > > Blog: http://www.bitstampede.com/
>>> >> > > Twitter: http://twitter.com/sheppy
>>> >> > > Check my Availability <https://freebusy.io/eshepherd@...>
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > firefox-dev mailing list
>>> >> > > [hidden email]
>>> >> > > https://mail.mozilla.org/listinfo/firefox-dev
>>> >> > >
>>> >> > >
>>> >> > _______________________________________________
>>> >> > dev-security mailing list
>>> >> > [hidden email]
>>> >> > https://lists.mozilla.org/listinfo/dev-security
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> https://briansmith.org/
>>> >> _______________________________________________
>>> >> dev-security mailing list
>>> >> [hidden email]
>>> >> https://lists.mozilla.org/listinfo/dev-security
>>> >>
>>> > _______________________________________________
>>> > dev-media mailing list
>>> > [hidden email]
>>> > https://lists.mozilla.org/listinfo/dev-media
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email]
>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>
>>
>>
>> _______________________________________________
>> firefox-dev mailing list
>> [hidden email]
>> https://mail.mozilla.org/listinfo/firefox-dev
>>
>>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Eric Shepherd
I have to agree with Gavin here: the risk of this sort of attack occurring is very low, but the potential for annoying or confusing users with this presentation is, if not high, at least high enough to make it overkill. At least having a way (even if it's an about:config only thing) to drop this reminder once you have it through your head, would be helpful.

Or what if we add a checkbox "don't show this again" BUT only after, say, ten times displayed. That way you can be sure they have seen the warning. Then when they opt to stop showing it, have a confirmation dialog remind them of the risk. From then on, they don't get the reminder.

Eric Shepherd
Sr. Technical Writer
Mozilla
Blog: http://www.bitstampede.com/
Twitter: http://twitter.com/sheppy

> On Aug 16, 2015, at 9:38 PM, Gavin Sharp <[hidden email]> wrote:
>
> I'm not making any statement as asinine as "there's no point worrying about security", and it's frustrating that that's something I would even have to clarify.
>
> Richard stated he thought the current solution had a "small price" and I disagreed with him.
>
> This boils down to a classic security/usability tradeoff. Those tradeoffs are ultimately matters of opinion, not fact, and need to be made by estimating what is likely in addition to understanding what is possible.
>
> None of us are the product owners responsible for making that tradeoff, so having stated my opinion I'll defer to them.
>
> Gavin
>
>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann <[hidden email]> wrote:
>>
>>
>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[hidden email]> wrote:
>>>
>>>
>>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[hidden email]> wrote:
>>>> > But a 2-3 second box for each fullscreen transition seems like a
>>>> > small price.
>>>>
>>>> Seems like a pretty large price to me, given a combination of factors:
>>>> - significant added friction to a common user action ("start watching
>>>> this video in fullscreen")
>>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>>> spoofing") is successful even without any mitigation, and the
>>>> relatively high cost/benefit ratio for such an attack
>>
>> Not sure if I understand the point you are trying to make with this and the next item below.
>>
>> Are you saying that there is high cost to building such an attack and low benefit to the attacker?
>>
>> Are you suggesting that a small level of defense is worthless to its better to just get rid of all the defenses?
>>
>> Good reading from a few years ago, with the proof of concept to go along with it.
>> http://feross.org/html5-fullscreen-api-attack/
>>
>> The "full screen browser mode" to "full screen video" is an interesting scenario.
>>
>> What's the likelihood of increased targeted attacks against firefox it we remove or reduce the defenses?  
>>
>> -chofmann
>>
>>  
>>>> - low likelihood that it usefully mitigates a sophisticated attack of this sort
>>>
>>> Can you please point to some supporting documentation for these claims?
>>>
>>> -Ekr
>>>
>>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>>> Flash's fullscreen)
>>>
>>>  
>>>>  
>>>> Gavin
>>>>
>>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]> wrote:
>>>> > This prompt is an important part of the security story for fullscreen.
>>>> > Since a fullscreen web app can hijack your entire browsing session, it's
>>>> > important that the user know that he's entering fullscreen and not looking
>>>> > at an actual browser window -- and to know that every time something goes
>>>> > fullscreen.  So if we're going to back off of displaying the prompt every
>>>> > time, we need to be clear that we're assuming that the user can make this
>>>> > distinction.
>>>> >
>>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
>>>> > for each fullscreen transition seems like a small price.
>>>> >
>>>> > --Richard
>>>> >
>>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]> wrote:
>>>> >
>>>> >> IIUC, the reminder is supposed to go away after a few seconds. However, I
>>>> >> have experienced the case, many times, where the reminder stays on screen
>>>> >> for the entire video. IIRC, if I restart the browser and replay the same
>>>> >> video again, then the reminder goes away.
>>>> >>
>>>> >> HTH,
>>>> >> Brian
>>>> >>
>>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]> wrote:
>>>> >>
>>>> >> > Including dev-media and dev-security.
>>>> >> >
>>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <[hidden email]>
>>>> >> > wrote:
>>>> >> >
>>>> >> > > Chris wrote:
>>>> >> > >
>>>> >> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>>>> >> > > getting a bit tired of being reminded with a huge banner at the top
>>>> >> that
>>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>>>> >> > > that have gotten tired of seeing this message, could there possibly be
>>>> >> an
>>>> >> > > option somewhere (maybe in about:config) that allows the user to turn
>>>> >> > them
>>>> >> > > off? It's been years now. What do you think?
>>>> >> > >
>>>> >> > > OMG yes please. I know how to get out of full screen mode. Make the
>>>> >> > > reminders stop! :)
>>>> >> > >
>>>> >> > > --
>>>> >> > >
>>>> >> > > Eric Shepherd
>>>> >> > > Senior Technical Writer
>>>> >> > > Mozilla <https://www.mozilla.org/>
>>>> >> > > Blog: http://www.bitstampede.com/
>>>> >> > > Twitter: http://twitter.com/sheppy
>>>> >> > > Check my Availability <https://freebusy.io/eshepherd@...>
>>>> >> > >
>>>> >> > > _______________________________________________
>>>> >> > > firefox-dev mailing list
>>>> >> > > [hidden email]
>>>> >> > > https://mail.mozilla.org/listinfo/firefox-dev
>>>> >> > >
>>>> >> > >
>>>> >> > _______________________________________________
>>>> >> > dev-security mailing list
>>>> >> > [hidden email]
>>>> >> > https://lists.mozilla.org/listinfo/dev-security
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> https://briansmith.org/
>>>> >> _______________________________________________
>>>> >> dev-security mailing list
>>>> >> [hidden email]
>>>> >> https://lists.mozilla.org/listinfo/dev-security
>>>> >>
>>>> > _______________________________________________
>>>> > dev-media mailing list
>>>> > [hidden email]
>>>> > https://lists.mozilla.org/listinfo/dev-media
>>>> _______________________________________________
>>>> firefox-dev mailing list
>>>> [hidden email]
>>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email]
>>> https://mail.mozilla.org/listinfo/firefox-dev
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Eric Rescorla
On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email]>
wrote:

> I have to agree with Gavin here: the risk of this sort of attack occurring
> is very low,
>

Do you have some evidence for this?

-Ekr


> but the potential for annoying or confusing users with this presentation
> is, if not high, at least high enough to make it overkill. At least having
> a way (even if it's an about:config only thing) to drop this reminder once
> you have it through your head, would be helpful.
>
> Or what if we add a checkbox "don't show this again" BUT only after, say,
> ten times displayed. That way you can be sure they have seen the warning.
> Then when they opt to stop showing it, have a confirmation dialog remind
> them of the risk. From then on, they don't get the reminder.
>
> Eric Shepherd
> Sr. Technical Writer
> Mozilla
> Blog: http://www.bitstampede.com/
> Twitter: http://twitter.com/sheppy
>
> On Aug 16, 2015, at 9:38 PM, Gavin Sharp <[hidden email]> wrote:
>
> I'm not making any statement as asinine as "there's no point worrying
> about security", and it's frustrating that that's something I would even
> have to clarify.
>
> Richard stated he thought the current solution had a "small price" and I
> disagreed with him.
>
> This boils down to a classic security/usability tradeoff. Those tradeoffs
> are ultimately matters of opinion, not fact, and need to be made by
> estimating what is likely in addition to understanding what is possible.
>
> None of us are the product owners responsible for making that tradeoff, so
> having stated my opinion I'll defer to them.
>
> Gavin
>
> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann <[hidden email]>
> wrote:
>
>>
>>
>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[hidden email]> wrote:
>>
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[hidden email]>
>>> wrote:
>>>
>>>> > But a 2-3 second box for each fullscreen transition seems like a
>>>> > small price.
>>>>
>>>> Seems like a pretty large price to me, given a combination of factors:
>>>> - significant added friction to a common user action ("start watching
>>>> this video in fullscreen")
>>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>>> spoofing") is successful even without any mitigation, and the
>>>> relatively high cost/benefit ratio for such an attack
>>>>
>>>
>> Not sure if I understand the point you are trying to make with this and
>> the next item below.
>>
>> Are you saying that there is high cost to building such an attack and low
>> benefit to the attacker?
>>
>> Are you suggesting that a small level of defense is worthless to its
>> better to just get rid of all the defenses?
>>
>> Good reading from a few years ago, with the proof of concept to go along
>> with it.
>> http://feross.org/html5-fullscreen-api-attack/
>>
>> The "full screen browser mode" to "full screen video" is an interesting
>> scenario.
>>
>> What's the likelihood of increased targeted attacks against firefox it we
>> remove or reduce the defenses?
>>
>> -chofmann
>>
>>
>>
>>> - low likelihood that it usefully mitigates a sophisticated attack of
>>>> this sort
>>>>
>>>
>>> Can you please point to some supporting documentation for these claims?
>>>
>>> -Ekr
>>>
>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>>> Flash's fullscreen)
>>>
>>>
>>>
>>>
>>>>
>>>>
>>> Gavin
>>>>
>>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[hidden email]>
>>>> wrote:
>>>> > This prompt is an important part of the security story for fullscreen.
>>>> > Since a fullscreen web app can hijack your entire browsing session,
>>>> it's
>>>> > important that the user know that he's entering fullscreen and not
>>>> looking
>>>> > at an actual browser window -- and to know that every time something
>>>> goes
>>>> > fullscreen.  So if we're going to back off of displaying the prompt
>>>> every
>>>> > time, we need to be clear that we're assuming that the user can make
>>>> this
>>>> > distinction.
>>>> >
>>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second
>>>> box
>>>> > for each fullscreen transition seems like a small price.
>>>> >
>>>> > --Richard
>>>> >
>>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[hidden email]>
>>>> wrote:
>>>> >
>>>> >> IIUC, the reminder is supposed to go away after a few seconds.
>>>> However, I
>>>> >> have experienced the case, many times, where the reminder stays on
>>>> screen
>>>> >> for the entire video. IIRC, if I restart the browser and replay the
>>>> same
>>>> >> video again, then the reminder goes away.
>>>> >>
>>>> >> HTH,
>>>> >> Brian
>>>> >>
>>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[hidden email]>
>>>> wrote:
>>>> >>
>>>> >> > Including dev-media and dev-security.
>>>> >> >
>>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
>>>> [hidden email]>
>>>> >> > wrote:
>>>> >> >
>>>> >> > > Chris wrote:
>>>> >> > >
>>>> >> > > After quite a while of watching HTML 5 video content in
>>>> fullscreen, I'm
>>>> >> > > getting a bit tired of being reminded with a huge banner at the
>>>> top
>>>> >> that
>>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like
>>>> myself
>>>> >> > > that have gotten tired of seeing this message, could there
>>>> possibly be
>>>> >> an
>>>> >> > > option somewhere (maybe in about:config) that allows the user to
>>>> turn
>>>> >> > them
>>>> >> > > off? It's been years now. What do you think?
>>>> >> > >
>>>> >> > > OMG yes please. I know how to get out of full screen mode. Make
>>>> the
>>>> >> > > reminders stop! :)
>>>> >> > >
>>>> >> > > --
>>>> >> > >
>>>> >> > > Eric Shepherd
>>>> >> > > Senior Technical Writer
>>>> >> > > Mozilla <https://www.mozilla.org/>
>>>> >> > > Blog: http://www.bitstampede.com/
>>>> >> > > Twitter: http://twitter.com/sheppy
>>>> >> > > Check my Availability <https://freebusy.io/eshepherd@...
>>>> >
>>>> >> > >
>>>> >> > > _______________________________________________
>>>> >> > > firefox-dev mailing list
>>>> >> > > [hidden email]
>>>> >> > > https://mail.mozilla.org/listinfo/firefox-dev
>>>> >> > >
>>>> >> > >
>>>> >> > _______________________________________________
>>>> >> > dev-security mailing list
>>>> >> > [hidden email]
>>>> >> > https://lists.mozilla.org/listinfo/dev-security
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> https://briansmith.org/
>>>> >> _______________________________________________
>>>> >> dev-security mailing list
>>>> >> [hidden email]
>>>> >> https://lists.mozilla.org/listinfo/dev-security
>>>> >>
>>>> > _______________________________________________
>>>> > dev-media mailing list
>>>> > [hidden email]
>>>> > https://lists.mozilla.org/listinfo/dev-media
>>>> _______________________________________________
>>>> firefox-dev mailing list
>>>> [hidden email]
>>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email]
>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>
>>>
>>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Matthew Turnbull
First off, I have to say that I do like the new UI, regardless of the
impetus for the change.

However, I'm also not entirely sold that this has a strong impact on
user security. I doubt the practicality of such an attack, since you
would have to reasonably match:

* The OS native theme.
* The browsers chrome elements and theme.
* Basic browser chrome functionality and behavior.
* Have the user overlook that the browser just flipped out when visiting
a site or clicking a link.

Fortunately for the user, the first two aspects are incredibly easy to
change. For example, when I tried the proof of concept, my browser theme
went from light grey to dark gray and all of the toolbars - and their
contents - changed. If a malicious site is able to accurately capture
the state of, and reproduce, the desktop and browser chrome, I'd say
that is a much more serious issue than triggering full screen.

For me, the biggest issue with this attack is getting the user to ignore
the browser spontaneously maximizing/full screening, witch is rather
jarring. I expect most users will only intentionally enter full screen
when playing a game or watching a video, so having the browser do it on
it's own would hopefully be enough of a red flag. But if you can get the
user to ignore that, then they're probably also going to ignore, or be
oblivious to the full screen notification.

I will grant that there is a large number of users that do not make
cosmetic changes to their OS or Firefox, so they would be much more
susceptible to an attack like this. But these user are also not likely
to want a knob to turn off the notification.

So, implementing a option, per site or globally, to turn off this nag
doesn't seem like an entirely unreasonable request. I know I certainly
would turn it off.

On 08/16/2015 11:53 PM, Eric Rescorla wrote:

>
>
> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I have to agree with Gavin here: the risk of this sort of attack
>     occurring is very low,
>
>
> Do you have some evidence for this?
>
> -Ekr
>
>     but the potential for annoying or confusing users with this
>     presentation is, if not high, at least high enough to make it
>     overkill. At least having a way (even if it's an about:config only
>     thing) to drop this reminder once you have it through your head,
>     would be helpful.
>
>     Or what if we add a checkbox "don't show this again" BUT only
>     after, say, ten times displayed. That way you can be sure they
>     have seen the warning. Then when they opt to stop showing it, have
>     a confirmation dialog remind them of the risk. From then on, they
>     don't get the reminder.
>
>     Eric Shepherd
>     Sr. Technical Writer
>     Mozilla
>     Blog: http://www.bitstampede.com/
>     Twitter: http://twitter.com/sheppy
>
>     On Aug 16, 2015, at 9:38 PM, Gavin Sharp <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>>     I'm not making any statement as asinine as "there's no point
>>     worrying about security", and it's frustrating that that's
>>     something I would even have to clarify.
>>
>>     Richard stated he thought the current solution had a "small
>>     price" and I disagreed with him.
>>
>>     This boils down to a classic security/usability tradeoff. Those
>>     tradeoffs are ultimately matters of opinion, not fact, and need
>>     to be made by estimating what is likely in addition to
>>     understanding what is possible.
>>
>>     None of us are the product owners responsible for making that
>>     tradeoff, so having stated my opinion I'll defer to them.
>>
>>     Gavin
>>
>>     On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann
>>     <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>
>>
>>         On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[hidden email]
>>         <mailto:[hidden email]>> wrote:
>>
>>
>>
>>             On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp
>>             <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>                 > But a 2-3 second box for each fullscreen transition
>>                 seems like a
>>                 > small price.
>>
>>                 Seems like a pretty large price to me, given a
>>                 combination of factors:
>>                 - significant added friction to a common user action
>>                 ("start watching
>>                 this video in fullscreen")
>>                 - low likelihood that the type of attack this
>>                 mitigates ("fullscreen
>>                 spoofing") is successful even without any mitigation,
>>                 and the
>>                 relatively high cost/benefit ratio for such an attack
>>
>>
>>         Not sure if I understand the point you are trying to make
>>         with this and the next item below.
>>
>>         Are you saying that there is high cost to building such an
>>         attack and low benefit to the attacker?
>>
>>         Are you suggesting that a small level of defense is worthless
>>         to its better to just get rid of all the defenses?
>>
>>         Good reading from a few years ago, with the proof of concept
>>         to go along with it.
>>         http://feross.org/html5-fullscreen-api-attack/
>>
>>         The "full screen browser mode" to "full screen video" is an
>>         interesting scenario.
>>
>>         What's the likelihood of increased targeted attacks against
>>         firefox it we remove or reduce the defenses?
>>
>>         -chofmann
>>
>>
>>                 - low likelihood that it usefully mitigates a
>>                 sophisticated attack of this sort
>>
>>
>>             Can you please point to some supporting documentation for
>>             these claims?
>>
>>             -Ekr
>>
>>                 - low rate of abuse of pre-existing equivalent
>>                 functionality (e.g.
>>                 Flash's fullscreen)
>>
>>
>>
>>                 Gavin
>>
>>                 On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes
>>                 <[hidden email] <mailto:[hidden email]>> wrote:
>>                 > This prompt is an important part of the security
>>                 story for fullscreen.
>>                 > Since a fullscreen web app can hijack your entire
>>                 browsing session, it's
>>                 > important that the user know that he's entering
>>                 fullscreen and not looking
>>                 > at an actual browser window -- and to know that
>>                 every time something goes
>>                 > fullscreen. So if we're going to back off of
>>                 displaying the prompt every
>>                 > time, we need to be clear that we're assuming that
>>                 the user can make this
>>                 > distinction.
>>                 >
>>                 > That honestly seems like a bad deal to me. If the
>>                 prompt stays up (as
>>                 > Brian mentions), that's a bug and we should fix
>>                 it.  But a 2-3 second box
>>                 > for each fullscreen transition seems like a small
>>                 price.
>>                 >
>>                 > --Richard
>>                 >
>>                 > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith
>>                 <[hidden email] <mailto:[hidden email]>>
>>                 wrote:
>>                 >
>>                 >> IIUC, the reminder is supposed to go away after a
>>                 few seconds. However, I
>>                 >> have experienced the case, many times, where the
>>                 reminder stays on screen
>>                 >> for the entire video. IIRC, if I restart the
>>                 browser and replay the same
>>                 >> video again, then the reminder goes away.
>>                 >>
>>                 >> HTH,
>>                 >> Brian
>>                 >>
>>                 >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein
>>                 <[hidden email] <mailto:[hidden email]>> wrote:
>>                 >>
>>                 >> > Including dev-media and dev-security.
>>                 >> >
>>                 >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd
>>                 <[hidden email] <mailto:[hidden email]>>
>>                 >> > wrote:
>>                 >> >
>>                 >> > > Chris wrote:
>>                 >> > >
>>                 >> > > After quite a while of watching HTML 5 video
>>                 content in fullscreen, I'm
>>                 >> > > getting a bit tired of being reminded with a
>>                 huge banner at the top
>>                 >> that
>>                 >> > > yes, I can still hit ESC to exit fullscreen
>>                 mode. For those like myself
>>                 >> > > that have gotten tired of seeing this message,
>>                 could there possibly be
>>                 >> an
>>                 >> > > option somewhere (maybe in about:config) that
>>                 allows the user to turn
>>                 >> > them
>>                 >> > > off? It's been years now. What do you think?
>>                 >> > >
>>                 >> > > OMG yes please. I know how to get out of full
>>                 screen mode. Make the
>>                 >> > > reminders stop! :)
>>                 >> > >
>>                 >> > > --
>>                 >> > >
>>                 >> > > Eric Shepherd
>>                 >> > > Senior Technical Writer
>>                 >> > > Mozilla <https://www.mozilla.org/>
>>                 >> > > Blog: http://www.bitstampede.com/
>>                 >> > > Twitter: http://twitter.com/sheppy
>>                 >> > > Check my Availability
>>                 <https://freebusy.io/eshepherd@...>
>>                 >> > >
>>                 >> > > _______________________________________________
>>                 >> > > firefox-dev mailing list
>>                 >> > > [hidden email]
>>                 <mailto:[hidden email]>
>>                 >> > > https://mail.mozilla.org/listinfo/firefox-dev
>>                 >> > >
>>                 >> > >
>>                 >> > _______________________________________________
>>                 >> > dev-security mailing list
>>                 >> > [hidden email]
>>                 <mailto:[hidden email]>
>>                 >> > https://lists.mozilla.org/listinfo/dev-security
>>                 >> >
>>                 >>
>>                 >>
>>                 >>
>>                 >> --
>>                 >> https://briansmith.org/
>>                 >> _______________________________________________
>>                 >> dev-security mailing list
>>                 >> [hidden email]
>>                 <mailto:[hidden email]>
>>                 >> https://lists.mozilla.org/listinfo/dev-security
>>                 >>
>>                 > _______________________________________________
>>                 > dev-media mailing list
>>                 > [hidden email]
>>                 <mailto:[hidden email]>
>>                 > https://lists.mozilla.org/listinfo/dev-media
>>                 _______________________________________________
>>                 firefox-dev mailing list
>>                 [hidden email] <mailto:[hidden email]>
>>                 https://mail.mozilla.org/listinfo/firefox-dev
>>
>>
>>
>>             _______________________________________________
>>             firefox-dev mailing list
>>             [hidden email] <mailto:[hidden email]>
>>             https://mail.mozilla.org/listinfo/firefox-dev
>>
>>
>>
>
>
>
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev

--
Bluefang-Logic Networks:

Scaled for your pleasure.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Nicholas Nethercote
In reply to this post by Richard Barnes
On Mon, Aug 17, 2015 at 5:15 AM, Richard Barnes <[hidden email]> wrote:
>
> But a 2-3 second box for each
> fullscreen transition seems like a small price.

The box is very prominent and often blocks part of the video, which I
personally find quite annoying.

If the notification were less prominent -- e.g. a strip along the top
or bottom of the screen, like we already use for things like warnings
about pop-ups and slow add-ons -- I think that would make it much more
tolerable.

Nick
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Sebastian Zartner-2
On 17 August 2015 at 07:34, Nicholas Nethercote <[hidden email]> wrote:

> On Mon, Aug 17, 2015 at 5:15 AM, Richard Barnes <[hidden email]> wrote:
>>
>> But a 2-3 second box for each
>> fullscreen transition seems like a small price.
>
> The box is very prominent and often blocks part of the video, which I
> personally find quite annoying.
>
> If the notification were less prominent -- e.g. a strip along the top
> or bottom of the screen, like we already use for things like warnings
> about pop-ups and slow add-ons -- I think that would make it much more
> tolerable.

I agree with that. The main annoyance for people is that it's too prominent.

Also, in the new UI of bug 1160023 I see no way anymore to whitelist a page.

Sebastian
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Javaun Moradi
In reply to this post by Matthew Turnbull
The desktop UX team, platform security and media/graphics teams worked together to find a good compromise that balanced security with user experience. It was a long conversation.

The Chrome browser has a similar 2-3 second fullscreen warning, even on Google sites like Youtube. They have a dedicated team testing security research. I’m not suggesting we’re fast-following them here (which is not a bad idea), but to the extent we can piggyback on things they’ve spend months/years learning, we should try.




Javaun Moradi | [hidden email] | IRC: javaun | @javaun

> On Aug 17, 2015, at 12:22 AM, Matthew Turnbull <[hidden email]> wrote:
>
> First off, I have to say that I do like the new UI, regardless of the impetus for the change.
>
> However, I'm also not entirely sold that this has a strong impact on user security. I doubt the practicality of such an attack, since you would have to reasonably match:
>
> * The OS native theme.
> * The browsers chrome elements and theme.
> * Basic browser chrome functionality and behavior.
> * Have the user overlook that the browser just flipped out when visiting a site or clicking a link.
>
> Fortunately for the user, the first two aspects are incredibly easy to change. For example, when I tried the proof of concept, my browser theme went from light grey to dark gray and all of the toolbars - and their contents - changed. If a malicious site is able to accurately capture the state of, and reproduce, the desktop and browser chrome, I'd say that is a much more serious issue than triggering full screen.
>
> For me, the biggest issue with this attack is getting the user to ignore the browser spontaneously maximizing/full screening, witch is rather jarring. I expect most users will only intentionally enter full screen when playing a game or watching a video, so having the browser do it on it's own would hopefully be enough of a red flag. But if you can get the user to ignore that, then they're probably also going to ignore, or be oblivious to the full screen notification.
>
> I will grant that there is a large number of users that do not make cosmetic changes to their OS or Firefox, so they would be much more susceptible to an attack like this. But these user are also not likely to want a knob to turn off the notification.
>
> So, implementing a option, per site or globally, to turn off this nag doesn't seem like an entirely unreasonable request. I know I certainly would turn it off.
>
> On 08/16/2015 11:53 PM, Eric Rescorla wrote:
>>
>>
>> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email] <mailto:[hidden email]>> wrote:
>> I have to agree with Gavin here: the risk of this sort of attack occurring is very low,
>>
>> Do you have some evidence for this?
>>
>> -Ekr
>>  
>> but the potential for annoying or confusing users with this presentation is, if not high, at least high enough to make it overkill. At least having a way (even if it's an about:config <about:config> only thing) to drop this reminder once you have it through your head, would be helpful.
>>
>> Or what if we add a checkbox "don't show this again" BUT only after, say, ten times displayed. That way you can be sure they have seen the warning. Then when they opt to stop showing it, have a confirmation dialog remind them of the risk. From then on, they don't get the reminder.
>>
>> Eric Shepherd
>> Sr. Technical Writer
>> Mozilla
>> Blog: http://www.bitstampede.com/ <http://www.bitstampede.com/>
>> Twitter: http://twitter.com/sheppy <http://twitter.com/sheppy>
>>
>> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>
>>> I'm not making any statement as asinine as "there's no point worrying about security", and it's frustrating that that's something I would even have to clarify.
>>>
>>> Richard stated he thought the current solution had a "small price" and I disagreed with him.
>>>
>>> This boils down to a classic security/usability tradeoff. Those tradeoffs are ultimately matters of opinion, not fact, and need to be made by estimating what is likely in addition to understanding what is possible.
>>>
>>> None of us are the product owners responsible for making that tradeoff, so having stated my opinion I'll defer to them.
>>>
>>> Gavin
>>>
>>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> > But a 2-3 second box for each fullscreen transition seems like a
>>> > small price.
>>>
>>> Seems like a pretty large price to me, given a combination of factors:
>>> - significant added friction to a common user action ("start watching
>>> this video in fullscreen")
>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>> spoofing") is successful even without any mitigation, and the
>>> relatively high cost/benefit ratio for such an attack
>>>
>>> Not sure if I understand the point you are trying to make with this and the next item below.
>>>
>>> Are you saying that there is high cost to building such an attack and low benefit to the attacker?
>>>
>>> Are you suggesting that a small level of defense is worthless to its better to just get rid of all the defenses?
>>>
>>> Good reading from a few years ago, with the proof of concept to go along with it.
>>> http://feross.org/html5-fullscreen-api-attack/ <http://feross.org/html5-fullscreen-api-attack/>
>>>
>>> The "full screen browser mode" to "full screen video" is an interesting scenario.
>>>
>>> What's the likelihood of increased targeted attacks against firefox it we remove or reduce the defenses?  
>>>
>>> -chofmann
>>>
>>>  
>>> - low likelihood that it usefully mitigates a sophisticated attack of this sort
>>>
>>> Can you please point to some supporting documentation for these claims?
>>>
>>> -Ekr
>>>
>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>> Flash's fullscreen)
>>>
>>>  
>>>  
>>> Gavin
>>>
>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> > This prompt is an important part of the security story for fullscreen.
>>> > Since a fullscreen web app can hijack your entire browsing session, it's
>>> > important that the user know that he's entering fullscreen and not looking
>>> > at an actual browser window -- and to know that every time something goes
>>> > fullscreen.  So if we're going to back off of displaying the prompt every
>>> > time, we need to be clear that we're assuming that the user can make this
>>> > distinction.
>>> >
>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
>>> > for each fullscreen transition seems like a small price.
>>> >
>>> > --Richard
>>> >
>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> >
>>> >> IIUC, the reminder is supposed to go away after a few seconds. However, I
>>> >> have experienced the case, many times, where the reminder stays on screen
>>> >> for the entire video. IIRC, if I restart the browser and replay the same
>>> >> video again, then the reminder goes away.
>>> >>
>>> >> HTH,
>>> >> Brian
>>> >>
>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> >>
>>> >> > Including dev-media and dev-security.
>>> >> >
>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>>
>>> >> > wrote:
>>> >> >
>>> >> > > Chris wrote:
>>> >> > >
>>> >> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>>> >> > > getting a bit tired of being reminded with a huge banner at the top
>>> >> that
>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>>> >> > > that have gotten tired of seeing this message, could there possibly be
>>> >> an
>>> >> > > option somewhere (maybe in about:config <about:config>) that allows the user to turn
>>> >> > them
>>> >> > > off? It's been years now. What do you think?
>>> >> > >
>>> >> > > OMG yes please. I know how to get out of full screen mode. Make the
>>> >> > > reminders stop! :)
>>> >> > >
>>> >> > > --
>>> >> > >
>>> >> > > Eric Shepherd
>>> >> > > Senior Technical Writer
>>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/ <https://www.mozilla.org/>>
>>> >> > > Blog:  <http://www.bitstampede.com/>http://www.bitstampede.com/ <http://www.bitstampede.com/>
>>> >> > > Twitter:  <http://twitter.com/sheppy>http://twitter.com/sheppy <http://twitter.com/sheppy>
>>> >> > > Check my Availability < <https://freebusy.io/eshepherd@...>https://freebusy.io/eshepherd@... <https://freebusy.io/eshepherd@...>>
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > firefox-dev mailing list
>>> >> > >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >> > >  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>> >> > >
>>> >> > >
>>> >> > _______________________________________________
>>> >> > dev-security mailing list
>>> >> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >> >  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >>  <https://briansmith.org/>https://briansmith.org/ <https://briansmith.org/>
>>> >> _______________________________________________
>>> >> dev-security mailing list
>>> >>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >>  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>> >>
>>> > _______________________________________________
>>> > dev-media mailing list
>>> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >  <https://lists.mozilla.org/listinfo/dev-media>https://lists.mozilla.org/listinfo/dev-media <https://lists.mozilla.org/listinfo/dev-media>
>>> _______________________________________________
>>> firefox-dev mailing list
>>>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email] <mailto:[hidden email]>
>>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> firefox-dev mailing list
>> [hidden email] <mailto:[hidden email]>
>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>
> --
> Bluefang-Logic Networks:
>
> Scaled for your pleasure.
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Javaun Moradi
Ack. Chrome has a dedicated user research team for security UX.


Javaun Moradi | [hidden email] | IRC: javaun | @javaun

> On Aug 17, 2015, at 11:00 AM, Javaun Moradi <[hidden email]> wrote:
>
> The desktop UX team, platform security and media/graphics teams worked together to find a good compromise that balanced security with user experience. It was a long conversation.
>
> The Chrome browser has a similar 2-3 second fullscreen warning, even on Google sites like Youtube. They have a dedicated team testing security research. I’m not suggesting we’re fast-following them here (which is not a bad idea), but to the extent we can piggyback on things they’ve spend months/years learning, we should try.
>
>
>
>
> Javaun Moradi | [hidden email] <mailto:[hidden email]> | IRC: javaun | @javaun
>
>> On Aug 17, 2015, at 12:22 AM, Matthew Turnbull <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> First off, I have to say that I do like the new UI, regardless of the impetus for the change.
>>
>> However, I'm also not entirely sold that this has a strong impact on user security. I doubt the practicality of such an attack, since you would have to reasonably match:
>>
>> * The OS native theme.
>> * The browsers chrome elements and theme.
>> * Basic browser chrome functionality and behavior.
>> * Have the user overlook that the browser just flipped out when visiting a site or clicking a link.
>>
>> Fortunately for the user, the first two aspects are incredibly easy to change. For example, when I tried the proof of concept, my browser theme went from light grey to dark gray and all of the toolbars - and their contents - changed. If a malicious site is able to accurately capture the state of, and reproduce, the desktop and browser chrome, I'd say that is a much more serious issue than triggering full screen.
>>
>> For me, the biggest issue with this attack is getting the user to ignore the browser spontaneously maximizing/full screening, witch is rather jarring. I expect most users will only intentionally enter full screen when playing a game or watching a video, so having the browser do it on it's own would hopefully be enough of a red flag. But if you can get the user to ignore that, then they're probably also going to ignore, or be oblivious to the full screen notification.
>>
>> I will grant that there is a large number of users that do not make cosmetic changes to their OS or Firefox, so they would be much more susceptible to an attack like this. But these user are also not likely to want a knob to turn off the notification.
>>
>> So, implementing a option, per site or globally, to turn off this nag doesn't seem like an entirely unreasonable request. I know I certainly would turn it off.
>>
>> On 08/16/2015 11:53 PM, Eric Rescorla wrote:
>>>
>>>
>>> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email] <mailto:[hidden email]>> wrote:
>>> I have to agree with Gavin here: the risk of this sort of attack occurring is very low,
>>>
>>> Do you have some evidence for this?
>>>
>>> -Ekr
>>>  
>>> but the potential for annoying or confusing users with this presentation is, if not high, at least high enough to make it overkill. At least having a way (even if it's an about:config <about:config> only thing) to drop this reminder once you have it through your head, would be helpful.
>>>
>>> Or what if we add a checkbox "don't show this again" BUT only after, say, ten times displayed. That way you can be sure they have seen the warning. Then when they opt to stop showing it, have a confirmation dialog remind them of the risk. From then on, they don't get the reminder.
>>>
>>> Eric Shepherd
>>> Sr. Technical Writer
>>> Mozilla
>>> Blog: http://www.bitstampede.com/ <http://www.bitstampede.com/>
>>> Twitter: http://twitter.com/sheppy <http://twitter.com/sheppy>
>>>
>>> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>> I'm not making any statement as asinine as "there's no point worrying about security", and it's frustrating that that's something I would even have to clarify.
>>>>
>>>> Richard stated he thought the current solution had a "small price" and I disagreed with him.
>>>>
>>>> This boils down to a classic security/usability tradeoff. Those tradeoffs are ultimately matters of opinion, not fact, and need to be made by estimating what is likely in addition to understanding what is possible.
>>>>
>>>> None of us are the product owners responsible for making that tradeoff, so having stated my opinion I'll defer to them.
>>>>
>>>> Gavin
>>>>
>>>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>>
>>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>>
>>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>> > But a 2-3 second box for each fullscreen transition seems like a
>>>> > small price.
>>>>
>>>> Seems like a pretty large price to me, given a combination of factors:
>>>> - significant added friction to a common user action ("start watching
>>>> this video in fullscreen")
>>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>>> spoofing") is successful even without any mitigation, and the
>>>> relatively high cost/benefit ratio for such an attack
>>>>
>>>> Not sure if I understand the point you are trying to make with this and the next item below.
>>>>
>>>> Are you saying that there is high cost to building such an attack and low benefit to the attacker?
>>>>
>>>> Are you suggesting that a small level of defense is worthless to its better to just get rid of all the defenses?
>>>>
>>>> Good reading from a few years ago, with the proof of concept to go along with it.
>>>> http://feross.org/html5-fullscreen-api-attack/ <http://feross.org/html5-fullscreen-api-attack/>
>>>>
>>>> The "full screen browser mode" to "full screen video" is an interesting scenario.
>>>>
>>>> What's the likelihood of increased targeted attacks against firefox it we remove or reduce the defenses?  
>>>>
>>>> -chofmann
>>>>
>>>>  
>>>> - low likelihood that it usefully mitigates a sophisticated attack of this sort
>>>>
>>>> Can you please point to some supporting documentation for these claims?
>>>>
>>>> -Ekr
>>>>
>>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>>> Flash's fullscreen)
>>>>
>>>>  
>>>>  
>>>> Gavin
>>>>
>>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>> > This prompt is an important part of the security story for fullscreen.
>>>> > Since a fullscreen web app can hijack your entire browsing session, it's
>>>> > important that the user know that he's entering fullscreen and not looking
>>>> > at an actual browser window -- and to know that every time something goes
>>>> > fullscreen.  So if we're going to back off of displaying the prompt every
>>>> > time, we need to be clear that we're assuming that the user can make this
>>>> > distinction.
>>>> >
>>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
>>>> > for each fullscreen transition seems like a small price.
>>>> >
>>>> > --Richard
>>>> >
>>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>> >
>>>> >> IIUC, the reminder is supposed to go away after a few seconds. However, I
>>>> >> have experienced the case, many times, where the reminder stays on screen
>>>> >> for the entire video. IIRC, if I restart the browser and replay the same
>>>> >> video again, then the reminder goes away.
>>>> >>
>>>> >> HTH,
>>>> >> Brian
>>>> >>
>>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>> >>
>>>> >> > Including dev-media and dev-security.
>>>> >> >
>>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>>
>>>> >> > wrote:
>>>> >> >
>>>> >> > > Chris wrote:
>>>> >> > >
>>>> >> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>>>> >> > > getting a bit tired of being reminded with a huge banner at the top
>>>> >> that
>>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>>>> >> > > that have gotten tired of seeing this message, could there possibly be
>>>> >> an
>>>> >> > > option somewhere (maybe in about:config <about:config>) that allows the user to turn
>>>> >> > them
>>>> >> > > off? It's been years now. What do you think?
>>>> >> > >
>>>> >> > > OMG yes please. I know how to get out of full screen mode. Make the
>>>> >> > > reminders stop! :)
>>>> >> > >
>>>> >> > > --
>>>> >> > >
>>>> >> > > Eric Shepherd
>>>> >> > > Senior Technical Writer
>>>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/ <https://www.mozilla.org/>>
>>>> >> > > Blog:  <http://www.bitstampede.com/>http://www.bitstampede.com/ <http://www.bitstampede.com/>
>>>> >> > > Twitter:  <http://twitter.com/sheppy>http://twitter.com/sheppy <http://twitter.com/sheppy>
>>>> >> > > Check my Availability < <https://freebusy.io/eshepherd@...>https://freebusy.io/eshepherd@... <https://freebusy.io/eshepherd@...>>
>>>> >> > >
>>>> >> > > _______________________________________________
>>>> >> > > firefox-dev mailing list
>>>> >> > >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>> >> > >  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>> >> > >
>>>> >> > >
>>>> >> > _______________________________________________
>>>> >> > dev-security mailing list
>>>> >> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>> >> >  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >>  <https://briansmith.org/>https://briansmith.org/ <https://briansmith.org/>
>>>> >> _______________________________________________
>>>> >> dev-security mailing list
>>>> >>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>> >>  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>>> >>
>>>> > _______________________________________________
>>>> > dev-media mailing list
>>>> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>> >  <https://lists.mozilla.org/listinfo/dev-media>https://lists.mozilla.org/listinfo/dev-media <https://lists.mozilla.org/listinfo/dev-media>
>>>> _______________________________________________
>>>> firefox-dev mailing list
>>>>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>>  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>>
>>>>
>>>> _______________________________________________
>>>> firefox-dev mailing list
>>>> [hidden email] <mailto:[hidden email]>
>>>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email] <mailto:[hidden email]>
>>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>
>> --
>> Bluefang-Logic Networks:
>>
>> Scaled for your pleasure.
>> _______________________________________________
>> firefox-dev mailing list
>> [hidden email] <mailto:[hidden email]>
>> https://mail.mozilla.org/listinfo/firefox-dev
>

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Michael Verdi-2
In reply to this post by Matthew Turnbull
Hi,
Here’s a quick comparison of the various full screen notifications - https://youtu.be/K5S-WGDIvLI 
Our new interaction is much less onerous on the user - comparable to the flash full screen interaction. It even requires less interaction than Chrome does.
Thanks,
Michael

--
Michael Verdi • Firefox UX • blog.mozilla.org/verdi <http://blog.mozilla.org/verdi> • irc: verdi

> On Aug 16, 2015, at 11:22 PM, Matthew Turnbull <[hidden email]> wrote:
>
> First off, I have to say that I do like the new UI, regardless of the impetus for the change.
>
> However, I'm also not entirely sold that this has a strong impact on user security. I doubt the practicality of such an attack, since you would have to reasonably match:
>
> * The OS native theme.
> * The browsers chrome elements and theme.
> * Basic browser chrome functionality and behavior.
> * Have the user overlook that the browser just flipped out when visiting a site or clicking a link.
>
> Fortunately for the user, the first two aspects are incredibly easy to change. For example, when I tried the proof of concept, my browser theme went from light grey to dark gray and all of the toolbars - and their contents - changed. If a malicious site is able to accurately capture the state of, and reproduce, the desktop and browser chrome, I'd say that is a much more serious issue than triggering full screen.
>
> For me, the biggest issue with this attack is getting the user to ignore the browser spontaneously maximizing/full screening, witch is rather jarring. I expect most users will only intentionally enter full screen when playing a game or watching a video, so having the browser do it on it's own would hopefully be enough of a red flag. But if you can get the user to ignore that, then they're probably also going to ignore, or be oblivious to the full screen notification.
>
> I will grant that there is a large number of users that do not make cosmetic changes to their OS or Firefox, so they would be much more susceptible to an attack like this. But these user are also not likely to want a knob to turn off the notification.
>
> So, implementing a option, per site or globally, to turn off this nag doesn't seem like an entirely unreasonable request. I know I certainly would turn it off.
>
> On 08/16/2015 11:53 PM, Eric Rescorla wrote:
>>
>>
>> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email] <mailto:[hidden email]>> wrote:
>> I have to agree with Gavin here: the risk of this sort of attack occurring is very low,
>>
>> Do you have some evidence for this?
>>
>> -Ekr
>>  
>> but the potential for annoying or confusing users with this presentation is, if not high, at least high enough to make it overkill. At least having a way (even if it's an about:config <about:config> only thing) to drop this reminder once you have it through your head, would be helpful.
>>
>> Or what if we add a checkbox "don't show this again" BUT only after, say, ten times displayed. That way you can be sure they have seen the warning. Then when they opt to stop showing it, have a confirmation dialog remind them of the risk. From then on, they don't get the reminder.
>>
>> Eric Shepherd
>> Sr. Technical Writer
>> Mozilla
>> Blog: http://www.bitstampede.com/ <http://www.bitstampede.com/>
>> Twitter: http://twitter.com/sheppy <http://twitter.com/sheppy>
>>
>> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>
>>> I'm not making any statement as asinine as "there's no point worrying about security", and it's frustrating that that's something I would even have to clarify.
>>>
>>> Richard stated he thought the current solution had a "small price" and I disagreed with him.
>>>
>>> This boils down to a classic security/usability tradeoff. Those tradeoffs are ultimately matters of opinion, not fact, and need to be made by estimating what is likely in addition to understanding what is possible.
>>>
>>> None of us are the product owners responsible for making that tradeoff, so having stated my opinion I'll defer to them.
>>>
>>> Gavin
>>>
>>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> > But a 2-3 second box for each fullscreen transition seems like a
>>> > small price.
>>>
>>> Seems like a pretty large price to me, given a combination of factors:
>>> - significant added friction to a common user action ("start watching
>>> this video in fullscreen")
>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>> spoofing") is successful even without any mitigation, and the
>>> relatively high cost/benefit ratio for such an attack
>>>
>>> Not sure if I understand the point you are trying to make with this and the next item below.
>>>
>>> Are you saying that there is high cost to building such an attack and low benefit to the attacker?
>>>
>>> Are you suggesting that a small level of defense is worthless to its better to just get rid of all the defenses?
>>>
>>> Good reading from a few years ago, with the proof of concept to go along with it.
>>> http://feross.org/html5-fullscreen-api-attack/ <http://feross.org/html5-fullscreen-api-attack/>
>>>
>>> The "full screen browser mode" to "full screen video" is an interesting scenario.
>>>
>>> What's the likelihood of increased targeted attacks against firefox it we remove or reduce the defenses?  
>>>
>>> -chofmann
>>>
>>>  
>>> - low likelihood that it usefully mitigates a sophisticated attack of this sort
>>>
>>> Can you please point to some supporting documentation for these claims?
>>>
>>> -Ekr
>>>
>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>> Flash's fullscreen)
>>>
>>>  
>>>  
>>> Gavin
>>>
>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> > This prompt is an important part of the security story for fullscreen.
>>> > Since a fullscreen web app can hijack your entire browsing session, it's
>>> > important that the user know that he's entering fullscreen and not looking
>>> > at an actual browser window -- and to know that every time something goes
>>> > fullscreen.  So if we're going to back off of displaying the prompt every
>>> > time, we need to be clear that we're assuming that the user can make this
>>> > distinction.
>>> >
>>> > That honestly seems like a bad deal to me.  If the prompt stays up (as
>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3 second box
>>> > for each fullscreen transition seems like a small price.
>>> >
>>> > --Richard
>>> >
>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> >
>>> >> IIUC, the reminder is supposed to go away after a few seconds. However, I
>>> >> have experienced the case, many times, where the reminder stays on screen
>>> >> for the entire video. IIRC, if I restart the browser and replay the same
>>> >> video again, then the reminder goes away.
>>> >>
>>> >> HTH,
>>> >> Brian
>>> >>
>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>> wrote:
>>> >>
>>> >> > Including dev-media and dev-security.
>>> >> >
>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>>
>>> >> > wrote:
>>> >> >
>>> >> > > Chris wrote:
>>> >> > >
>>> >> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>>> >> > > getting a bit tired of being reminded with a huge banner at the top
>>> >> that
>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>>> >> > > that have gotten tired of seeing this message, could there possibly be
>>> >> an
>>> >> > > option somewhere (maybe in about:config <about:config>) that allows the user to turn
>>> >> > them
>>> >> > > off? It's been years now. What do you think?
>>> >> > >
>>> >> > > OMG yes please. I know how to get out of full screen mode. Make the
>>> >> > > reminders stop! :)
>>> >> > >
>>> >> > > --
>>> >> > >
>>> >> > > Eric Shepherd
>>> >> > > Senior Technical Writer
>>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/ <https://www.mozilla.org/>>
>>> >> > > Blog:  <http://www.bitstampede.com/>http://www.bitstampede.com/ <http://www.bitstampede.com/>
>>> >> > > Twitter:  <http://twitter.com/sheppy>http://twitter.com/sheppy <http://twitter.com/sheppy>
>>> >> > > Check my Availability < <https://freebusy.io/eshepherd@...>https://freebusy.io/eshepherd@... <https://freebusy.io/eshepherd@...>>
>>> >> > >
>>> >> > > _______________________________________________
>>> >> > > firefox-dev mailing list
>>> >> > >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >> > >  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>> >> > >
>>> >> > >
>>> >> > _______________________________________________
>>> >> > dev-security mailing list
>>> >> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >> >  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >>  <https://briansmith.org/>https://briansmith.org/ <https://briansmith.org/>
>>> >> _______________________________________________
>>> >> dev-security mailing list
>>> >>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >>  <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security <https://lists.mozilla.org/listinfo/dev-security>
>>> >>
>>> > _______________________________________________
>>> > dev-media mailing list
>>> >  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>> >  <https://lists.mozilla.org/listinfo/dev-media>https://lists.mozilla.org/listinfo/dev-media <https://lists.mozilla.org/listinfo/dev-media>
>>> _______________________________________________
>>> firefox-dev mailing list
>>>  <mailto:[hidden email]>[hidden email] <mailto:[hidden email]>
>>>  <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> [hidden email] <mailto:[hidden email]>
>>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>>>
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> firefox-dev mailing list
>> [hidden email] <mailto:[hidden email]>
>> https://mail.mozilla.org/listinfo/firefox-dev <https://mail.mozilla.org/listinfo/firefox-dev>
>
> --
> Bluefang-Logic Networks:
>
> Scaled for your pleasure.
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Gavin Sharp-3
The new UI is much better - good work!

Gavin

On Mon, Aug 17, 2015 at 8:02 AM, Michael Verdi <[hidden email]> wrote:

> Hi,
> Here’s a quick comparison of the various full screen notifications -
> https://youtu.be/K5S-WGDIvLI
> Our new interaction is much less onerous on the user - comparable to the
> flash full screen interaction. It even requires less interaction than
> Chrome does.
> Thanks,
> Michael
>
> --
> Michael Verdi • Firefox UX • blog.mozilla.org/verdi • irc: verdi
>
> On Aug 16, 2015, at 11:22 PM, Matthew Turnbull <[hidden email]>
> wrote:
>
> First off, I have to say that I do like the new UI, regardless of the
> impetus for the change.
>
> However, I'm also not entirely sold that this has a strong impact on user
> security. I doubt the practicality of such an attack, since you would have
> to reasonably match:
>
> * The OS native theme.
> * The browsers chrome elements and theme.
> * Basic browser chrome functionality and behavior.
> * Have the user overlook that the browser just flipped out when visiting a
> site or clicking a link.
>
> Fortunately for the user, the first two aspects are incredibly easy to
> change. For example, when I tried the proof of concept, my browser theme
> went from light grey to dark gray and all of the toolbars - and their
> contents - changed. If a malicious site is able to accurately capture the
> state of, and reproduce, the desktop and browser chrome, I'd say that is a
> much more serious issue than triggering full screen.
>
> For me, the biggest issue with this attack is getting the user to ignore
> the browser spontaneously maximizing/full screening, witch is rather
> jarring. I expect most users will only intentionally enter full screen when
> playing a game or watching a video, so having the browser do it on it's own
> would hopefully be enough of a red flag. But if you can get the user to
> ignore that, then they're probably also going to ignore, or be oblivious to
> the full screen notification.
>
> I will grant that there is a large number of users that do not make
> cosmetic changes to their OS or Firefox, so they would be much more
> susceptible to an attack like this. But these user are also not likely to
> want a knob to turn off the notification.
>
> So, implementing a option, per site or globally, to turn off this nag
> doesn't seem like an entirely unreasonable request. I know I certainly
> would turn it off.
>
> On 08/16/2015 11:53 PM, Eric Rescorla wrote:
>
>
>
> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[hidden email]>
> wrote:
>
>> I have to agree with Gavin here: the risk of this sort of attack
>> occurring is very low,
>>
>
> Do you have some evidence for this?
>
> -Ekr
>
>
>> but the potential for annoying or confusing users with this presentation
>> is, if not high, at least high enough to make it overkill. At least having
>> a way (even if it's an about:config only thing) to drop this reminder
>> once you have it through your head, would be helpful.
>>
>> Or what if we add a checkbox "don't show this again" BUT only after, say,
>> ten times displayed. That way you can be sure they have seen the warning.
>> Then when they opt to stop showing it, have a confirmation dialog remind
>> them of the risk. From then on, they don't get the reminder.
>>
>> Eric Shepherd
>> Sr. Technical Writer
>> Mozilla
>> Blog: http://www.bitstampede.com/
>> Twitter: http://twitter.com/sheppy
>>
>> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < <[hidden email]>
>> [hidden email]> wrote:
>>
>> I'm not making any statement as asinine as "there's no point worrying
>> about security", and it's frustrating that that's something I would even
>> have to clarify.
>>
>> Richard stated he thought the current solution had a "small price" and I
>> disagreed with him.
>>
>> This boils down to a classic security/usability tradeoff. Those tradeoffs
>> are ultimately matters of opinion, not fact, and need to be made by
>> estimating what is likely in addition to understanding what is possible.
>>
>> None of us are the product owners responsible for making that tradeoff,
>> so having stated my opinion I'll defer to them.
>>
>> Gavin
>>
>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < <[hidden email]>
>> [hidden email]> wrote:
>>
>>>
>>>
>>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < <[hidden email]>
>>> [hidden email]> wrote:
>>>
>>>>
>>>>
>>>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < <[hidden email]>
>>>> [hidden email]> wrote:
>>>>
>>>>> > But a 2-3 second box for each fullscreen transition seems like a
>>>>> > small price.
>>>>>
>>>>> Seems like a pretty large price to me, given a combination of factors:
>>>>> - significant added friction to a common user action ("start watching
>>>>> this video in fullscreen")
>>>>> - low likelihood that the type of attack this mitigates ("fullscreen
>>>>> spoofing") is successful even without any mitigation, and the
>>>>> relatively high cost/benefit ratio for such an attack
>>>>>
>>>>
>>> Not sure if I understand the point you are trying to make with this and
>>> the next item below.
>>>
>>> Are you saying that there is high cost to building such an attack and
>>> low benefit to the attacker?
>>>
>>> Are you suggesting that a small level of defense is worthless to its
>>> better to just get rid of all the defenses?
>>>
>>> Good reading from a few years ago, with the proof of concept to go along
>>> with it.
>>> http://feross.org/html5-fullscreen-api-attack/
>>>
>>> The "full screen browser mode" to "full screen video" is an interesting
>>> scenario.
>>>
>>> What's the likelihood of increased targeted attacks against firefox it
>>> we remove or reduce the defenses?
>>>
>>> -chofmann
>>>
>>>
>>>
>>>> - low likelihood that it usefully mitigates a sophisticated attack of
>>>>> this sort
>>>>>
>>>>
>>>> Can you please point to some supporting documentation for these claims?
>>>>
>>>> -Ekr
>>>>
>>>> - low rate of abuse of pre-existing equivalent functionality (e.g.
>>>>> Flash's fullscreen)
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>> Gavin
>>>>>
>>>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <
>>>>> <[hidden email]>[hidden email]> wrote:
>>>>> > This prompt is an important part of the security story for
>>>>> fullscreen.
>>>>> > Since a fullscreen web app can hijack your entire browsing session,
>>>>> it's
>>>>> > important that the user know that he's entering fullscreen and not
>>>>> looking
>>>>> > at an actual browser window -- and to know that every time something
>>>>> goes
>>>>> > fullscreen.  So if we're going to back off of displaying the prompt
>>>>> every
>>>>> > time, we need to be clear that we're assuming that the user can make
>>>>> this
>>>>> > distinction.
>>>>> >
>>>>> > That honestly seems like a bad deal to me.  If the prompt stays up
>>>>> (as
>>>>> > Brian mentions), that's a bug and we should fix it.  But a 2-3
>>>>> second box
>>>>> > for each fullscreen transition seems like a small price.
>>>>> >
>>>>> > --Richard
>>>>> >
>>>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <
>>>>> <[hidden email]>[hidden email]> wrote:
>>>>> >
>>>>> >> IIUC, the reminder is supposed to go away after a few seconds.
>>>>> However, I
>>>>> >> have experienced the case, many times, where the reminder stays on
>>>>> screen
>>>>> >> for the entire video. IIRC, if I restart the browser and replay the
>>>>> same
>>>>> >> video again, then the reminder goes away.
>>>>> >>
>>>>> >> HTH,
>>>>> >> Brian
>>>>> >>
>>>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < <[hidden email]>
>>>>> [hidden email]> wrote:
>>>>> >>
>>>>> >> > Including dev-media and dev-security.
>>>>> >> >
>>>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
>>>>> <[hidden email]>[hidden email]>
>>>>> >> > wrote:
>>>>> >> >
>>>>> >> > > Chris wrote:
>>>>> >> > >
>>>>> >> > > After quite a while of watching HTML 5 video content in
>>>>> fullscreen, I'm
>>>>> >> > > getting a bit tired of being reminded with a huge banner at the
>>>>> top
>>>>> >> that
>>>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those
>>>>> like myself
>>>>> >> > > that have gotten tired of seeing this message, could there
>>>>> possibly be
>>>>> >> an
>>>>> >> > > option somewhere (maybe in about:config) that allows the user
>>>>> to turn
>>>>> >> > them
>>>>> >> > > off? It's been years now. What do you think?
>>>>> >> > >
>>>>> >> > > OMG yes please. I know how to get out of full screen mode. Make
>>>>> the
>>>>> >> > > reminders stop! :)
>>>>> >> > >
>>>>> >> > > --
>>>>> >> > >
>>>>> >> > > Eric Shepherd
>>>>> >> > > Senior Technical Writer
>>>>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/>
>>>>> >> > > Blog: <http://www.bitstampede.com/>http://www.bitstampede.com/
>>>>> >> > > Twitter: <http://twitter.com/sheppy>http://twitter.com/sheppy
>>>>> >> > > Check my Availability <
>>>>> <https://freebusy.io/eshepherd@...>
>>>>> https://freebusy.io/eshepherd@...>
>>>>> >> > >
>>>>> >> > > _______________________________________________
>>>>> >> > > firefox-dev mailing list
>>>>> >> > > <[hidden email]>[hidden email]
>>>>> >> > > <https://mail.mozilla.org/listinfo/firefox-dev>
>>>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>>> >> > >
>>>>> >> > >
>>>>> >> > _______________________________________________
>>>>> >> > dev-security mailing list
>>>>> >> > <[hidden email]>[hidden email]
>>>>> >> > <https://lists.mozilla.org/listinfo/dev-security>
>>>>> https://lists.mozilla.org/listinfo/dev-security
>>>>> >> >
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> <https://briansmith.org/>https://briansmith.org/
>>>>> >> _______________________________________________
>>>>> >> dev-security mailing list
>>>>> >> <[hidden email]>[hidden email]
>>>>> >> <https://lists.mozilla.org/listinfo/dev-security>
>>>>> https://lists.mozilla.org/listinfo/dev-security
>>>>> >>
>>>>> > _______________________________________________
>>>>> > dev-media mailing list
>>>>> > <[hidden email]>[hidden email]
>>>>> > <https://lists.mozilla.org/listinfo/dev-media>
>>>>> https://lists.mozilla.org/listinfo/dev-media
>>>>> _______________________________________________
>>>>> firefox-dev mailing list
>>>>> <[hidden email]>[hidden email]
>>>>> <https://mail.mozilla.org/listinfo/firefox-dev>
>>>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> firefox-dev mailing list
>>>> [hidden email]
>>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> firefox-dev mailing [hidden email]://mail.mozilla.org/listinfo/firefox-dev
>
>
> --
> Bluefang-Logic Networks:
>
> Scaled for your pleasure.
>
> _______________________________________________
> firefox-dev mailing list
> [hidden email]
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Mike Hommey
In reply to this post by Michael Verdi-2
On Mon, Aug 17, 2015 at 10:02:38AM -0500, Michael Verdi wrote:
> Hi, Here’s a quick comparison of the various full screen notifications
> - https://youtu.be/K5S-WGDIvLI Our new interaction is much less
> onerous on the user - comparable to the flash full screen interaction.
> It even requires less interaction than Chrome does.  Thanks, Michael

FWIW "Exit Full Screen (esc)" doesn't really sound like lambda users
would understand as "press esc to exit full screen".

Mike
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Chris-3
Thanks for the comparison Michael! That does look better, I do appreciate
that it's been downsized and doesn't require the additional user input
anymore. However since the notification is in the black letterbox, I can't
tell - is the message box fully opaque, or partially transparent?

On Mon, Aug 17, 2015 at 6:41 PM, Mike Hommey <[hidden email]> wrote:

> On Mon, Aug 17, 2015 at 10:02:38AM -0500, Michael Verdi wrote:
> > Hi, Here’s a quick comparison of the various full screen notifications
> > - https://youtu.be/K5S-WGDIvLI Our new interaction is much less
> > onerous on the user - comparable to the flash full screen interaction.
> > It even requires less interaction than Chrome does.  Thanks, Michael
>
> FWIW "Exit Full Screen (esc)" doesn't really sound like lambda users
> would understand as "press esc to exit full screen".
>
> Mike
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Forever reminded to hit ESC to exit fullscreen

Michael Verdi-2
In reply to this post by Mike Hommey

> On Aug 17, 2015, at 5:41 PM, Mike Hommey <[hidden email]> wrote:
>
> FWIW "Exit Full Screen (esc)" doesn't really sound like lambda users
> would understand as "press esc to exit full screen”.

The idea is that the primary way to exit full screen is to click the button that says “Exit Full Screen.” The (Esc) part is the keyboard shortcut that’s displayed as a bit of a hybrid between what we do in menu items and and button tool tips. For example, the History button says, “Show your history (Ctrl+H)” and the show all bookmarks menu item says, “Show All Bookmarks     Ctrl+Shift+B.” This design has a button but I didn’t think a tool tip was right in this situation since using the Esc key has been such a primary (sometimes only) way of exiting full screen. I wanted to make sure people who were familiar with using Esc could see that it was still possible to use without mousing over the button.

> On Aug 17, 2015, at 6:47 PM, Chris <[hidden email]> wrote:
>
> However since the notification is in the black letterbox, I can't tell - is the message box fully opaque, or partially transparent?

Yes, it’s partially transparent.

Thanks,
Michael

--
Michael Verdi • Firefox UX • blog.mozilla.org/verdi <http://blog.mozilla.org/verdi> • irc: verdi

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security