On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[email protected]> wrote:
> I have to agree with Gavin here: the risk of this sort of attack occurring > is very low, > Do you have some evidence for this? -Ekr > but the potential for annoying or confusing users with this presentation > is, if not high, at least high enough to make it overkill. At least having > a way (even if it's an about:config only thing) to drop this reminder once > you have it through your head, would be helpful. > > Or what if we add a checkbox "don't show this again" BUT only after, say, > ten times displayed. That way you can be sure they have seen the warning. > Then when they opt to stop showing it, have a confirmation dialog remind > them of the risk. From then on, they don't get the reminder. > > Eric Shepherd > Sr. Technical Writer > Mozilla > Blog: http://www.bitstampede.com/ > Twitter: http://twitter.com/sheppy > > On Aug 16, 2015, at 9:38 PM, Gavin Sharp <[email protected]> wrote: > > I'm not making any statement as asinine as "there's no point worrying > about security", and it's frustrating that that's something I would even > have to clarify. > > Richard stated he thought the current solution had a "small price" and I > disagreed with him. > > This boils down to a classic security/usability tradeoff. Those tradeoffs > are ultimately matters of opinion, not fact, and need to be made by > estimating what is likely in addition to understanding what is possible. > > None of us are the product owners responsible for making that tradeoff, so > having stated my opinion I'll defer to them. > > Gavin > > On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann <[email protected]> > wrote: > >> >> >> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla <[email protected]> wrote: >> >>> >>> >>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <[email protected]> >>> wrote: >>> >>>> > But a 2-3 second box for each fullscreen transition seems like a >>>> > small price. >>>> >>>> Seems like a pretty large price to me, given a combination of factors: >>>> - significant added friction to a common user action ("start watching >>>> this video in fullscreen") >>>> - low likelihood that the type of attack this mitigates ("fullscreen >>>> spoofing") is successful even without any mitigation, and the >>>> relatively high cost/benefit ratio for such an attack >>>> >>> >> Not sure if I understand the point you are trying to make with this and >> the next item below. >> >> Are you saying that there is high cost to building such an attack and low >> benefit to the attacker? >> >> Are you suggesting that a small level of defense is worthless to its >> better to just get rid of all the defenses? >> >> Good reading from a few years ago, with the proof of concept to go along >> with it. >> http://feross.org/html5-fullscreen-api-attack/ >> >> The "full screen browser mode" to "full screen video" is an interesting >> scenario. >> >> What's the likelihood of increased targeted attacks against firefox it we >> remove or reduce the defenses? >> >> -chofmann >> >> >> >>> - low likelihood that it usefully mitigates a sophisticated attack of >>>> this sort >>>> >>> >>> Can you please point to some supporting documentation for these claims? >>> >>> -Ekr >>> >>> - low rate of abuse of pre-existing equivalent functionality (e.g. >>>> Flash's fullscreen) >>> >>> >>> >>> >>>> >>>> >>> Gavin >>>> >>>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <[email protected]> >>>> wrote: >>>> > This prompt is an important part of the security story for fullscreen. >>>> > Since a fullscreen web app can hijack your entire browsing session, >>>> it's >>>> > important that the user know that he's entering fullscreen and not >>>> looking >>>> > at an actual browser window -- and to know that every time something >>>> goes >>>> > fullscreen. So if we're going to back off of displaying the prompt >>>> every >>>> > time, we need to be clear that we're assuming that the user can make >>>> this >>>> > distinction. >>>> > >>>> > That honestly seems like a bad deal to me. If the prompt stays up (as >>>> > Brian mentions), that's a bug and we should fix it. But a 2-3 second >>>> box >>>> > for each fullscreen transition seems like a small price. >>>> > >>>> > --Richard >>>> > >>>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <[email protected]> >>>> wrote: >>>> > >>>> >> IIUC, the reminder is supposed to go away after a few seconds. >>>> However, I >>>> >> have experienced the case, many times, where the reminder stays on >>>> screen >>>> >> for the entire video. IIRC, if I restart the browser and replay the >>>> same >>>> >> video again, then the reminder goes away. >>>> >> >>>> >> HTH, >>>> >> Brian >>>> >> >>>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <[email protected]> >>>> wrote: >>>> >> >>>> >> > Including dev-media and dev-security. >>>> >> > >>>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < >>>> [email protected]> >>>> >> > wrote: >>>> >> > >>>> >> > > Chris wrote: >>>> >> > > >>>> >> > > After quite a while of watching HTML 5 video content in >>>> fullscreen, I'm >>>> >> > > getting a bit tired of being reminded with a huge banner at the >>>> top >>>> >> that >>>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like >>>> myself >>>> >> > > that have gotten tired of seeing this message, could there >>>> possibly be >>>> >> an >>>> >> > > option somewhere (maybe in about:config) that allows the user to >>>> turn >>>> >> > them >>>> >> > > off? It's been years now. What do you think? >>>> >> > > >>>> >> > > OMG yes please. I know how to get out of full screen mode. Make >>>> the >>>> >> > > reminders stop! :) >>>> >> > > >>>> >> > > -- >>>> >> > > >>>> >> > > Eric Shepherd >>>> >> > > Senior Technical Writer >>>> >> > > Mozilla <https://www.mozilla.org/> >>>> >> > > Blog: http://www.bitstampede.com/ >>>> >> > > Twitter: http://twitter.com/sheppy >>>> >> > > Check my Availability <https://freebusy.io/[email protected] >>>> > >>>> >> > > >>>> >> > > _______________________________________________ >>>> >> > > firefox-dev mailing list >>>> >> > > [email protected] >>>> >> > > https://mail.mozilla.org/listinfo/firefox-dev >>>> >> > > >>>> >> > > >>>> >> > _______________________________________________ >>>> >> > dev-security mailing list >>>> >> > [email protected] >>>> >> > https://lists.mozilla.org/listinfo/dev-security >>>> >> > >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> https://briansmith.org/ >>>> >> _______________________________________________ >>>> >> dev-security mailing list >>>> >> [email protected] >>>> >> https://lists.mozilla.org/listinfo/dev-security >>>> >> >>>> > _______________________________________________ >>>> > dev-media mailing list >>>> > [email protected] >>>> > https://lists.mozilla.org/listinfo/dev-media >>>> _______________________________________________ >>>> firefox-dev mailing list >>>> [email protected] >>>> https://mail.mozilla.org/listinfo/firefox-dev >>>> >>> >>> >>> _______________________________________________ >>> firefox-dev mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/firefox-dev >>> >>> >> > _______________________________________________ dev-media mailing list [email protected] https://lists.mozilla.org/listinfo/dev-media
