<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Aug 16, 2015 at 5:49 PM, Gavin Sharp <span dir="ltr"><<a href="mailto:gavin@gavinsharp.com" target="_blank">gavin@gavinsharp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> But a 2-3 second box for each fullscreen transition seems like a<br>
> small price.<br>
<br>
</span>Seems like a pretty large price to me, given a combination of factors:<br>
- significant added friction to a common user action ("start watching<br>
this video in fullscreen")<br>
- low likelihood that the type of attack this mitigates ("fullscreen<br>
spoofing") is successful even without any mitigation, and the<br>
relatively high cost/benefit ratio for such an attack<br>
- low likelihood that it usefully mitigates a sophisticated attack of this sort<br></blockquote><div><br></div><div>Can you please point to some supporting documentation for these claims?</div><div><br></div><div>-Ekr</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
- low rate of abuse of pre-existing equivalent functionality (e.g.<br>
Flash's fullscreen)</blockquote><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Gavin<br>
<div><div class="h5"><br>
On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <<a href="mailto:rbarnes@mozilla.com">rbarnes@mozilla.com</a>> wrote:<br>
> This prompt is an important part of the security story for fullscreen.<br>
> Since a fullscreen web app can hijack your entire browsing session, it's<br>
> important that the user know that he's entering fullscreen and not looking<br>
> at an actual browser window -- and to know that every time something goes<br>
> fullscreen. So if we're going to back off of displaying the prompt every<br>
> time, we need to be clear that we're assuming that the user can make this<br>
> distinction.<br>
><br>
> That honestly seems like a bad deal to me. If the prompt stays up (as<br>
> Brian mentions), that's a bug and we should fix it. But a 2-3 second box<br>
> for each fullscreen transition seems like a small price.<br>
><br>
> --Richard<br>
><br>
> On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <<a href="mailto:brian@briansmith.org">brian@briansmith.org</a>> wrote:<br>
><br>
>> IIUC, the reminder is supposed to go away after a few seconds. However, I<br>
>> have experienced the case, many times, where the reminder stays on screen<br>
>> for the entire video. IIRC, if I restart the browser and replay the same<br>
>> video again, then the reminder goes away.<br>
>><br>
>> HTH,<br>
>> Brian<br>
>><br>
>> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <<a href="mailto:jaws@mozilla.com">jaws@mozilla.com</a>> wrote:<br>
>><br>
>> > Including dev-media and dev-security.<br>
>> ><br>
>> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <<a href="mailto:eshepherd@mozilla.com">eshepherd@mozilla.com</a>><br>
>> > wrote:<br>
>> ><br>
>> > > Chris wrote:<br>
>> > ><br>
>> > > After quite a while of watching HTML 5 video content in fullscreen, I'm<br>
>> > > getting a bit tired of being reminded with a huge banner at the top<br>
>> that<br>
>> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself<br>
>> > > that have gotten tired of seeing this message, could there possibly be<br>
>> an<br>
>> > > option somewhere (maybe in about:config) that allows the user to turn<br>
>> > them<br>
>> > > off? It's been years now. What do you think?<br>
>> > ><br>
>> > > OMG yes please. I know how to get out of full screen mode. Make the<br>
>> > > reminders stop! :)<br>
>> > ><br>
>> > > --<br>
>> > ><br>
>> > > Eric Shepherd<br>
>> > > Senior Technical Writer<br>
>> > > Mozilla <<a href="https://www.mozilla.org/" rel="noreferrer" target="_blank">https://www.mozilla.org/</a>><br>
>> > > Blog: <a href="http://www.bitstampede.com/" rel="noreferrer" target="_blank">http://www.bitstampede.com/</a><br>
>> > > Twitter: <a href="http://twitter.com/sheppy" rel="noreferrer" target="_blank">http://twitter.com/sheppy</a><br>
>> > > Check my Availability <<a href="https://freebusy.io/eshepherd@mozilla.com" rel="noreferrer" target="_blank">https://freebusy.io/eshepherd@mozilla.com</a>><br>
>> > ><br>
>> > > _______________________________________________<br>
>> > > firefox-dev mailing list<br>
>> > > <a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
>> > > <a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
>> > ><br>
>> > ><br>
>> > _______________________________________________<br>
>> > dev-security mailing list<br>
>> > <a href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a><br>
>> > <a href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer" target="_blank">https://lists.mozilla.org/listinfo/dev-security</a><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> <a href="https://briansmith.org/" rel="noreferrer" target="_blank">https://briansmith.org/</a><br>
>> _______________________________________________<br>
>> dev-security mailing list<br>
>> <a href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a><br>
>> <a href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer" target="_blank">https://lists.mozilla.org/listinfo/dev-security</a><br>
>><br>
</div></div>> _______________________________________________<br>
> dev-media mailing list<br>
> <a href="mailto:dev-media@lists.mozilla.org">dev-media@lists.mozilla.org</a><br>
> <a href="https://lists.mozilla.org/listinfo/dev-media" rel="noreferrer" target="_blank">https://lists.mozilla.org/listinfo/dev-media</a><br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
</div></div></blockquote></div><br></div></div>