Hi, Here’s a quick comparison of the various full screen notifications - https://youtu.be/K5S-WGDIvLI Our new interaction is much less onerous on the user - comparable to the flash full screen interaction. It even requires less interaction than Chrome does. Thanks, Michael
-- Michael Verdi • Firefox UX • blog.mozilla.org/verdi <http://blog.mozilla.org/verdi> • irc: verdi > On Aug 16, 2015, at 11:22 PM, Matthew Turnbull <[email protected]> > wrote: > > First off, I have to say that I do like the new UI, regardless of the impetus > for the change. > > However, I'm also not entirely sold that this has a strong impact on user > security. I doubt the practicality of such an attack, since you would have to > reasonably match: > > * The OS native theme. > * The browsers chrome elements and theme. > * Basic browser chrome functionality and behavior. > * Have the user overlook that the browser just flipped out when visiting a > site or clicking a link. > > Fortunately for the user, the first two aspects are incredibly easy to > change. For example, when I tried the proof of concept, my browser theme went > from light grey to dark gray and all of the toolbars - and their contents - > changed. If a malicious site is able to accurately capture the state of, and > reproduce, the desktop and browser chrome, I'd say that is a much more > serious issue than triggering full screen. > > For me, the biggest issue with this attack is getting the user to ignore the > browser spontaneously maximizing/full screening, witch is rather jarring. I > expect most users will only intentionally enter full screen when playing a > game or watching a video, so having the browser do it on it's own would > hopefully be enough of a red flag. But if you can get the user to ignore > that, then they're probably also going to ignore, or be oblivious to the full > screen notification. > > I will grant that there is a large number of users that do not make cosmetic > changes to their OS or Firefox, so they would be much more susceptible to an > attack like this. But these user are also not likely to want a knob to turn > off the notification. > > So, implementing a option, per site or globally, to turn off this nag doesn't > seem like an entirely unreasonable request. I know I certainly would turn it > off. > > On 08/16/2015 11:53 PM, Eric Rescorla wrote: >> >> >> On Sun, Aug 16, 2015 at 8:07 PM, Eric Shepherd <[email protected] >> <mailto:[email protected]>> wrote: >> I have to agree with Gavin here: the risk of this sort of attack occurring >> is very low, >> >> Do you have some evidence for this? >> >> -Ekr >> >> but the potential for annoying or confusing users with this presentation is, >> if not high, at least high enough to make it overkill. At least having a way >> (even if it's an about:config <about:config> only thing) to drop this >> reminder once you have it through your head, would be helpful. >> >> Or what if we add a checkbox "don't show this again" BUT only after, say, >> ten times displayed. That way you can be sure they have seen the warning. >> Then when they opt to stop showing it, have a confirmation dialog remind >> them of the risk. From then on, they don't get the reminder. >> >> Eric Shepherd >> Sr. Technical Writer >> Mozilla >> Blog: http://www.bitstampede.com/ <http://www.bitstampede.com/> >> Twitter: http://twitter.com/sheppy <http://twitter.com/sheppy> >> >> On Aug 16, 2015, at 9:38 PM, Gavin Sharp < >> <mailto:[email protected]>[email protected] >> <mailto:[email protected]>> wrote: >> >>> I'm not making any statement as asinine as "there's no point worrying about >>> security", and it's frustrating that that's something I would even have to >>> clarify. >>> >>> Richard stated he thought the current solution had a "small price" and I >>> disagreed with him. >>> >>> This boils down to a classic security/usability tradeoff. Those tradeoffs >>> are ultimately matters of opinion, not fact, and need to be made by >>> estimating what is likely in addition to understanding what is possible. >>> >>> None of us are the product owners responsible for making that tradeoff, so >>> having stated my opinion I'll defer to them. >>> >>> Gavin >>> >>> On Sun, Aug 16, 2015 at 6:16 PM, Chris Hofmann < >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> On Sun, Aug 16, 2015 at 5:52 PM, Eric Rescorla < >>> <mailto:[email protected]>[email protected] <mailto:[email protected]>> wrote: >>> >>> >>> On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp < >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]>> wrote: >>> > But a 2-3 second box for each fullscreen transition seems like a >>> > small price. >>> >>> Seems like a pretty large price to me, given a combination of factors: >>> - significant added friction to a common user action ("start watching >>> this video in fullscreen") >>> - low likelihood that the type of attack this mitigates ("fullscreen >>> spoofing") is successful even without any mitigation, and the >>> relatively high cost/benefit ratio for such an attack >>> >>> Not sure if I understand the point you are trying to make with this and the >>> next item below. >>> >>> Are you saying that there is high cost to building such an attack and low >>> benefit to the attacker? >>> >>> Are you suggesting that a small level of defense is worthless to its better >>> to just get rid of all the defenses? >>> >>> Good reading from a few years ago, with the proof of concept to go along >>> with it. >>> http://feross.org/html5-fullscreen-api-attack/ >>> <http://feross.org/html5-fullscreen-api-attack/> >>> >>> The "full screen browser mode" to "full screen video" is an interesting >>> scenario. >>> >>> What's the likelihood of increased targeted attacks against firefox it we >>> remove or reduce the defenses? >>> >>> -chofmann >>> >>> >>> - low likelihood that it usefully mitigates a sophisticated attack of this >>> sort >>> >>> Can you please point to some supporting documentation for these claims? >>> >>> -Ekr >>> >>> - low rate of abuse of pre-existing equivalent functionality (e.g. >>> Flash's fullscreen) >>> >>> >>> >>> Gavin >>> >>> On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes < >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]>> wrote: >>> > This prompt is an important part of the security story for fullscreen. >>> > Since a fullscreen web app can hijack your entire browsing session, it's >>> > important that the user know that he's entering fullscreen and not looking >>> > at an actual browser window -- and to know that every time something goes >>> > fullscreen. So if we're going to back off of displaying the prompt every >>> > time, we need to be clear that we're assuming that the user can make this >>> > distinction. >>> > >>> > That honestly seems like a bad deal to me. If the prompt stays up (as >>> > Brian mentions), that's a bug and we should fix it. But a 2-3 second box >>> > for each fullscreen transition seems like a small price. >>> > >>> > --Richard >>> > >>> > On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith < >>> > <mailto:[email protected]>[email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> >> IIUC, the reminder is supposed to go away after a few seconds. However, I >>> >> have experienced the case, many times, where the reminder stays on screen >>> >> for the entire video. IIRC, if I restart the browser and replay the same >>> >> video again, then the reminder goes away. >>> >> >>> >> HTH, >>> >> Brian >>> >> >>> >> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein < >>> >> <mailto:[email protected]>[email protected] <mailto:[email protected]>> >>> >> wrote: >>> >> >>> >> > Including dev-media and dev-security. >>> >> > >>> >> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd < >>> >> > <mailto:[email protected]>[email protected] >>> >> > <mailto:[email protected]>> >>> >> > wrote: >>> >> > >>> >> > > Chris wrote: >>> >> > > >>> >> > > After quite a while of watching HTML 5 video content in fullscreen, >>> >> > > I'm >>> >> > > getting a bit tired of being reminded with a huge banner at the top >>> >> that >>> >> > > yes, I can still hit ESC to exit fullscreen mode. For those like >>> >> > > myself >>> >> > > that have gotten tired of seeing this message, could there possibly >>> >> > > be >>> >> an >>> >> > > option somewhere (maybe in about:config <about:config>) that allows >>> >> > > the user to turn >>> >> > them >>> >> > > off? It's been years now. What do you think? >>> >> > > >>> >> > > OMG yes please. I know how to get out of full screen mode. Make the >>> >> > > reminders stop! :) >>> >> > > >>> >> > > -- >>> >> > > >>> >> > > Eric Shepherd >>> >> > > Senior Technical Writer >>> >> > > Mozilla < <https://www.mozilla.org/>https://www.mozilla.org/ >>> >> > > <https://www.mozilla.org/>> >>> >> > > Blog: <http://www.bitstampede.com/>http://www.bitstampede.com/ >>> >> > > <http://www.bitstampede.com/> >>> >> > > Twitter: <http://twitter.com/sheppy>http://twitter.com/sheppy >>> >> > > <http://twitter.com/sheppy> >>> >> > > Check my Availability < >>> >> > > <https://freebusy.io/[email protected]>https://freebusy.io/[email protected] >>> >> > > <https://freebusy.io/[email protected]>> >>> >> > > >>> >> > > _______________________________________________ >>> >> > > firefox-dev mailing list >>> >> > > <mailto:[email protected]>[email protected] >>> >> > > <mailto:[email protected]> >>> >> > > >>> >> > > <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev >>> >> > > <https://mail.mozilla.org/listinfo/firefox-dev> >>> >> > > >>> >> > > >>> >> > _______________________________________________ >>> >> > dev-security mailing list >>> >> > <mailto:[email protected]>[email protected] >>> >> > <mailto:[email protected]> >>> >> > >>> >> > <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security >>> >> > <https://lists.mozilla.org/listinfo/dev-security> >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> <https://briansmith.org/>https://briansmith.org/ >>> >> <https://briansmith.org/> >>> >> _______________________________________________ >>> >> dev-security mailing list >>> >> <mailto:[email protected]>[email protected] >>> >> <mailto:[email protected]> >>> >> >>> >> <https://lists.mozilla.org/listinfo/dev-security>https://lists.mozilla.org/listinfo/dev-security >>> >> <https://lists.mozilla.org/listinfo/dev-security> >>> >> >>> > _______________________________________________ >>> > dev-media mailing list >>> > <mailto:[email protected]>[email protected] >>> > <mailto:[email protected]> >>> > >>> > <https://lists.mozilla.org/listinfo/dev-media>https://lists.mozilla.org/listinfo/dev-media >>> > <https://lists.mozilla.org/listinfo/dev-media> >>> _______________________________________________ >>> firefox-dev mailing list >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]> >>> >>> <https://mail.mozilla.org/listinfo/firefox-dev>https://mail.mozilla.org/listinfo/firefox-dev >>> <https://mail.mozilla.org/listinfo/firefox-dev> >>> >>> >>> _______________________________________________ >>> firefox-dev mailing list >>> [email protected] <mailto:[email protected]> >>> https://mail.mozilla.org/listinfo/firefox-dev >>> <https://mail.mozilla.org/listinfo/firefox-dev> >>> >>> >>> >> >> >> >> _______________________________________________ >> firefox-dev mailing list >> [email protected] <mailto:[email protected]> >> https://mail.mozilla.org/listinfo/firefox-dev >> <https://mail.mozilla.org/listinfo/firefox-dev> > > -- > Bluefang-Logic Networks: > > Scaled for your pleasure. > _______________________________________________ > firefox-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/firefox-dev _______________________________________________ dev-media mailing list [email protected] https://lists.mozilla.org/listinfo/dev-media
