On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[email protected]> wrote:
> > But a 2-3 second box for each fullscreen transition seems like a
> > small price.
>
> Seems like a pretty large price to me, given a combination of factors:
> - significant added friction to a common user action ("start watching
> this video in fullscreen")
> - low likelihood that the type of attack this mitigates ("fullscreen
> spoofing") is successful even without any mitigation, and the
> relatively high cost/benefit ratio for such an attack
> - low likelihood that it usefully mitigates a sophisticated attack of this
> sort
>
Can you please point to some supporting documentation for these claims?
-Ekr
- low rate of abuse of pre-existing equivalent functionality (e.g.
> Flash's fullscreen)
>
>
Gavin
>
> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[email protected]>
> wrote:
> > This prompt is an important part of the security story for fullscreen.
> > Since a fullscreen web app can hijack your entire browsing session, it's
> > important that the user know that he's entering fullscreen and not
> looking
> > at an actual browser window -- and to know that every time something goes
> > fullscreen. So if we're going to back off of displaying the prompt every
> > time, we need to be clear that we're assuming that the user can make this
> > distinction.
> >
> > That honestly seems like a bad deal to me. If the prompt stays up (as
> > Brian mentions), that's a bug and we should fix it. But a 2-3 second box
> > for each fullscreen transition seems like a small price.
> >
> > --Richard
> >
> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[email protected]>
> wrote:
> >
> >> IIUC, the reminder is supposed to go away after a few seconds. However,
> I
> >> have experienced the case, many times, where the reminder stays on
> screen
> >> for the entire video. IIRC, if I restart the browser and replay the same
> >> video again, then the reminder goes away.
> >>
> >> HTH,
> >> Brian
> >>
> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[email protected]> wrote:
> >>
> >> > Including dev-media and dev-security.
> >> >
> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <
> [email protected]>
> >> > wrote:
> >> >
> >> > > Chris wrote:
> >> > >
> >> > > After quite a while of watching HTML 5 video content in fullscreen,
> I'm
> >> > > getting a bit tired of being reminded with a huge banner at the top
> >> that
> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like
> myself
> >> > > that have gotten tired of seeing this message, could there possibly
> be
> >> an
> >> > > option somewhere (maybe in about:config) that allows the user to
> turn
> >> > them
> >> > > off? It's been years now. What do you think?
> >> > >
> >> > > OMG yes please. I know how to get out of full screen mode. Make the
> >> > > reminders stop! :)
> >> > >
> >> > > --
> >> > >
> >> > > Eric Shepherd
> >> > > Senior Technical Writer
> >> > > Mozilla <https://www.mozilla.org/>
> >> > > Blog: http://www.bitstampede.com/
> >> > > Twitter: http://twitter.com/sheppy
> >> > > Check my Availability <https://freebusy.io/[email protected]>
> >> > >
> >> > > _______________________________________________
> >> > > firefox-dev mailing list
> >> > > [email protected]
> >> > > https://mail.mozilla.org/listinfo/firefox-dev
> >> > >
> >> > >
> >> > _______________________________________________
> >> > dev-security mailing list
> >> > [email protected]
> >> > https://lists.mozilla.org/listinfo/dev-security
> >> >
> >>
> >>
> >>
> >> --
> >> https://briansmith.org/
> >> _______________________________________________
> >> dev-security mailing list
> >> [email protected]
> >> https://lists.mozilla.org/listinfo/dev-security
> >>
> > _______________________________________________
> > dev-media mailing list
> > [email protected]
> > https://lists.mozilla.org/listinfo/dev-media
> _______________________________________________
> firefox-dev mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/firefox-dev
>
_______________________________________________
dev-media mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-media
