On 13/03/2019 00:22, flor...@rivoal.net wrote: > Given that this is not merely setting a limit because you find that > implementation more convenient, but actually a case of considering it > desirable to ignore large cursors in certain cases (and for security reasons > even), I wonder if this is something that we should consider including in the > specification. What do you tink?
I think a note or such in the spec would be nice, yeah. FWIW some platforms already had pre-existing cursor limits for similar reasons[1] since forever. I probably wouldn't bother specifying a concrete limit, though not sure how you feel about that. Seems like depending how big the browser's UI is, a browser could make different tradeoffs without compromising security. -- Emilio [1]: https://searchfox.org/mozilla-central/rev/89414a1df52d06cfc35529afb9a5a8542a6e4270/widget/gtk/nsWindow.cpp#1465 > —Florian > > On Wednesday, March 13, 2019 at 4:50:01 AM UTC+9, Emilio Cobos Álvarez wrote: >> Hi, just some email I forgot to send a while ago. >> >> Summary: Block cursor images larger than 32 pixels wide that intersect >> the Browser UI, by falling back to the default cursor (as if no cursor >> image could be loaded). >> >> This prevents malware sites from hijacking the cursor and look as if the >> cursor was on top of the browser UI. See the bug for test-cases and >> examples. >> >> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1445844 >> >> Link to standard: N/A (this is more of an intervention) >> >> Platform coverage: All desktop platforms. >> >> Estimated target release: 67 >> >> Preference behind which this will be implemented: Two prefs control this >> behavior. `layout.cursor.block.enabled` controls whether we block >> cursors at all. `layout.cursor.block.max-size` controls the maximum size >> in either axis that the cursor can have without being blocked. >> >> Devtools bug: I don't think any particular devtools support is needed. >> >> web-platform-tests: Can't really test this. >> >> Do other browser engines implement this? Blink is doing the same change >> in https://bugs.chromium.org/p/chromium/issues/detail?id=880863. >> >> Their data estimates that 0.1% of page visits hit this, and they're >> going with the same cursor size of 32 (I was going initially for 64, see >> bug for discussion). >> >> I made sure that should any surprise come up turning this off this is >> trivial, but I think it's worth doing, and the change has been in >> Nightly for quite a while without any surprise. >> >> -- Emilio > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
