<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
First off, I have to say that I do like the new UI, regardless of
the impetus for the change.<br>
<br>
However, I'm also not entirely sold that this has a strong impact on
user security. I doubt the practicality of such an attack, since you
would have to reasonably match:<br>
<br>
* The OS native theme.<br>
* The browsers chrome elements and theme.<br>
* Basic browser chrome functionality and behavior.<br>
* Have the user overlook that the browser just flipped out when
visiting a site or clicking a link.<br>
<br>
Fortunately for the user, the first two aspects are incredibly easy
to change. For example, when I tried the proof of concept, my
browser theme went from light grey to dark gray and all of the
toolbars - and their contents - changed. If a malicious site is able
to accurately capture the state of, and reproduce, the desktop and
browser chrome, I'd say that is a much more serious issue than
triggering full screen.<br>
<br>
For me, the biggest issue with this attack is getting the user to
ignore the browser spontaneously maximizing/full screening, witch is
rather jarring. I expect most users will only intentionally enter
full screen when playing a game or watching a video, so having the
browser do it on it's own would hopefully be enough of a red flag.
But if you can get the user to ignore that, then they're probably
also going to ignore, or be oblivious to the full screen
notification.<br>
<br>
I will grant that there is a large number of users that do not make
cosmetic changes to their OS or Firefox, so they would be much more
susceptible to an attack like this. But these user are also not
likely to want a knob to turn off the notification.<br>
<br>
So, implementing a option, per site or globally, to turn off this
nag doesn't seem like an entirely unreasonable request. I know I
certainly would turn it off.<br>
<br>
<div class="moz-cite-prefix">On 08/16/2015 11:53 PM, Eric Rescorla
wrote:<br>
</div>
<blockquote
cite="mid:CABcZeBNqXZCgdB=DK4U04hwsLkYrMd+twmf765SK69zmjT0Axg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Aug 16, 2015 at 8:07 PM, Eric
Shepherd <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:eshepherd@mozilla.com" target="_blank">eshepherd@mozilla.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>I have to agree with Gavin here: the risk of this
sort of attack occurring is very low,</div>
</div>
</blockquote>
<div><br>
</div>
<div>Do you have some evidence for this?</div>
<div><br>
</div>
<div>-Ekr</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div> but the potential for annoying or confusing users
with this presentation is, if not high, at least high
enough to make it overkill. At least having a way
(even if it's an <a class="moz-txt-link-freetext" href="about:config">about:config</a> only thing) to drop this
reminder once you have it through your head, would be
helpful.</div>
<div><br>
</div>
<div>Or what if we add a checkbox "don't show this
again" BUT only after, say, ten times displayed. That
way you can be sure they have seen the warning. Then
when they opt to stop showing it, have a confirmation
dialog remind them of the risk. From then on, they
don't get the reminder.</div>
<div><span class="HOEnZb"><font color="#888888"><br>
<div>Eric Shepherd</div>
Sr. Technical Writer
<div>Mozilla</div>
</font></span><span class="">
<div>Blog: <a moz-do-not-send="true"
href="http://www.bitstampede.com/"
target="_blank">http://www.bitstampede.com/</a></div>
<div>Twitter: <a moz-do-not-send="true"
href="http://twitter.com/sheppy" target="_blank">http://twitter.com/sheppy</a></div>
</span></div>
<div>
<div class="h5">
<div><br>
On Aug 16, 2015, at 9:38 PM, Gavin Sharp <<a
moz-do-not-send="true"
href="mailto:gavin@gavinsharp.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:gavin@gavinsharp.com">gavin@gavinsharp.com</a></a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>I'm not making any statement as asinine
as "there's no point worrying about
security", and it's frustrating that that's
something I would even have to clarify.<br>
<br>
Richard stated he thought the current
solution had a "small price" and I disagreed
with him.<br>
<br>
</div>
<div>This boils down to a classic
security/usability tradeoff. Those tradeoffs
are ultimately matters of opinion, not fact,
and need to be made by estimating what is
likely in addition to understanding what is
possible.<br>
<br>
</div>
<div>None of us are the product owners
responsible for making that tradeoff, so
having stated my opinion I'll defer to them.<br>
</div>
<div><br>
</div>
Gavin<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Aug 16, 2015
at 6:16 PM, Chris Hofmann <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:chofmann@mozilla.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:chofmann@mozilla.com">chofmann@mozilla.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On Sun,
Aug 16, 2015 at 5:52 PM, Eric
Rescorla <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ekr@rtfm.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ekr@rtfm.com">ekr@rtfm.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On
Sun, Aug 16, 2015 at
5:49 PM, Gavin Sharp <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gavin@gavinsharp.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:gavin@gavinsharp.com">gavin@gavinsharp.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"><span>>
But a 2-3 second box
for each fullscreen
transition seems
like a<br>
> small price.<br>
<br>
</span>Seems like a
pretty large price to
me, given a
combination of
factors:<br>
- significant added
friction to a common
user action ("start
watching<br>
this video in
fullscreen")<br>
- low likelihood that
the type of attack
this mitigates
("fullscreen<br>
spoofing") is
successful even
without any
mitigation, and the<br>
relatively high
cost/benefit ratio for
such an attack<br>
</blockquote>
</span></div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>Not sure if I understand the
point you are trying to make with
this and the next item below.<br>
<br>
</div>
<div>Are you saying that there is
high cost to building such an
attack and low benefit to the
attacker?<br>
<br>
</div>
<div>Are you suggesting that a small
level of defense is worthless to
its better to just get rid of all
the defenses?<br>
<br>
</div>
<div>Good reading from a few years
ago, with the proof of concept to
go along with it.<br>
<a moz-do-not-send="true"
href="http://feross.org/html5-fullscreen-api-attack/"
target="_blank">http://feross.org/html5-fullscreen-api-attack/</a><br>
<br>
</div>
<div>The "full screen browser mode"
to "full screen video" is an
interesting scenario.<br>
<br>
</div>
<div>What's the likelihood of
increased targeted attacks against
firefox it we remove or reduce the
defenses? <br>
<br>
</div>
<div>-chofmann<br>
</div>
<div>
<div>
<div><br>
<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
- low likelihood
that it usefully
mitigates a
sophisticated attack
of this sort<br>
</blockquote>
<div><br>
</div>
</span>
<div>Can you please
point to some
supporting
documentation for
these claims?</div>
<div><br>
</div>
<div>-Ekr</div>
<div>
<div>
<div><br>
</div>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
- low rate of
abuse of
pre-existing
equivalent
functionality
(e.g.<br>
Flash's
fullscreen)</blockquote>
<div><br>
</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"> <br>
</blockquote>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
Gavin<br>
<div>
<div><br>
On Sun, Aug
16, 2015 at
12:15 PM,
Richard Barnes
<<a
moz-do-not-send="true"
href="mailto:rbarnes@mozilla.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:rbarnes@mozilla.com">rbarnes@mozilla.com</a></a>>
wrote:<br>
> This
prompt is an
important part
of the
security story
for
fullscreen.<br>
> Since a
fullscreen web
app can hijack
your entire
browsing
session, it's<br>
> important
that the user
know that he's
entering
fullscreen and
not looking<br>
> at an
actual browser
window -- and
to know that
every time
something goes<br>
>
fullscreen.
So if we're
going to back
off of
displaying the
prompt every<br>
> time, we
need to be
clear that
we're assuming
that the user
can make this<br>
>
distinction.<br>
><br>
> That
honestly seems
like a bad
deal to me.
If the prompt
stays up (as<br>
> Brian
mentions),
that's a bug
and we should
fix it. But a
2-3 second box<br>
> for each
fullscreen
transition
seems like a
small price.<br>
><br>
> --Richard<br>
><br>
> On Sat,
Aug 15, 2015
at 9:55 AM,
Brian Smith
<<a
moz-do-not-send="true"
href="mailto:brian@briansmith.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:brian@briansmith.org">brian@briansmith.org</a></a>>
wrote:<br>
><br>
>> IIUC,
the reminder
is supposed to
go away after
a few seconds.
However, I<br>
>> have
experienced
the case, many
times, where
the reminder
stays on
screen<br>
>> for
the entire
video. IIRC,
if I restart
the browser
and replay the
same<br>
>> video
again, then
the reminder
goes away.<br>
>><br>
>> HTH,<br>
>> Brian<br>
>><br>
>> On
Sat, Aug 15,
2015 at 12:17
AM, Jared Wein
<<a
moz-do-not-send="true"
href="mailto:jaws@mozilla.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jaws@mozilla.com">jaws@mozilla.com</a></a>>
wrote:<br>
>><br>
>> >
Including
dev-media and
dev-security.<br>
>> ><br>
>> >
On Fri, Aug
14, 2015 at
11:53 PM, Eric
Shepherd <<a
moz-do-not-send="true" href="mailto:eshepherd@mozilla.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:eshepherd@mozilla.com">eshepherd@mozilla.com</a></a>><br>
>> >
wrote:<br>
>> ><br>
>> >
> Chris
wrote:<br>
>> >
><br>
>> >
> After
quite a while
of watching
HTML 5 video
content in
fullscreen,
I'm<br>
>> >
> getting a
bit tired of
being reminded
with a huge
banner at the
top<br>
>> that<br>
>> >
> yes, I
can still hit
ESC to exit
fullscreen
mode. For
those like
myself<br>
>> >
> that have
gotten tired
of seeing this
message, could
there possibly
be<br>
>> an<br>
>> >
> option
somewhere
(maybe in
<a class="moz-txt-link-freetext" href="about:config">about:config</a>)
that allows
the user to
turn<br>
>> >
them<br>
>> >
> off? It's
been years
now. What do
you think?<br>
>> >
><br>
>> >
> OMG yes
please. I know
how to get out
of full screen
mode. Make the<br>
>> >
> reminders
stop! :)<br>
>> >
><br>
>> >
> --<br>
>> >
><br>
>> >
> Eric
Shepherd<br>
>> >
> Senior
Technical
Writer<br>
>> >
> Mozilla
<<a
moz-do-not-send="true"
href="https://www.mozilla.org/" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://www.mozilla.org/">https://www.mozilla.org/</a></a>><br>
>> >
> Blog: <a
moz-do-not-send="true" href="http://www.bitstampede.com/"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="http://www.bitstampede.com/">http://www.bitstampede.com/</a></a><br>
>> >
> Twitter:
<a
moz-do-not-send="true"
href="http://twitter.com/sheppy" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://twitter.com/sheppy">http://twitter.com/sheppy</a></a><br>
>> >
> Check my
Availability
<<a
moz-do-not-send="true"
href="https://freebusy.io/eshepherd@mozilla.com" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://freebusy.io/eshepherd@mozilla.com">https://freebusy.io/eshepherd@mozilla.com</a></a>><br>
>> >
><br>
>> >
>
_______________________________________________<br>
>> >
>
firefox-dev
mailing list<br>
>> >
> <a
moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a></a><br>
>> >
> <a
moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a></a><br>
>> >
><br>
>> >
><br>
>> >
_______________________________________________<br>
>> >
dev-security
mailing list<br>
>> >
<a
moz-do-not-send="true"
href="mailto:dev-security@lists.mozilla.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a></a><br>
>> >
<a
moz-do-not-send="true"
href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-security">https://lists.mozilla.org/listinfo/dev-security</a></a><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> <a
moz-do-not-send="true"
href="https://briansmith.org/" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://briansmith.org/">https://briansmith.org/</a></a><br>
>>
_______________________________________________<br>
>>
dev-security
mailing list<br>
>> <a
moz-do-not-send="true"
href="mailto:dev-security@lists.mozilla.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a></a><br>
>> <a
moz-do-not-send="true"
href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-security">https://lists.mozilla.org/listinfo/dev-security</a></a><br>
>><br>
</div>
</div>
>
_______________________________________________<br>
> dev-media
mailing list<br>
> <a
moz-do-not-send="true"
href="mailto:dev-media@lists.mozilla.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dev-media@lists.mozilla.org">dev-media@lists.mozilla.org</a></a><br>
> <a
moz-do-not-send="true"
href="https://lists.mozilla.org/listinfo/dev-media" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-media">https://lists.mozilla.org/listinfo/dev-media</a></a><br>
<div>
<div>_______________________________________________<br>
firefox-dev
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a></a><br>
<a
moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a></a><br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org"
target="_blank">firefox-dev@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev"
rel="noreferrer"
target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
firefox-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bluefang-Logic Networks:
Scaled for your pleasure.</pre>
</body>
</html>