<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The desktop UX team, platform security and media/graphics teams worked together to find a good compromise that balanced security with user experience. It was a long conversation. <div class=""><br class=""></div><div class="">The Chrome browser has a similar 2-3 second fullscreen warning, even on Google sites like Youtube. They have a dedicated team testing security research. I’m not suggesting we’re fast-following them here (which is not a bad idea), but to the extent we can piggyback on things they’ve spend months/years learning, we should try.</div><div class=""><br class=""></div><div class=""><br class=""><div class=""><div apple-content-edited="true" class="">
<div class=""><br class=""><br class=""><div id="96d91169-3536-4824-ae26-5bf23d9b77ad" class=""><span name="x" class=""></span>Javaun Moradi | <a href="mailto:jmoradi@mozilla.com" class="">jmoradi@mozilla.com</a> | IRC: javaun | @javaun<br class=""><span name="x" class=""></span></div></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Aug 17, 2015, at 12:22 AM, Matthew Turnbull <<a href="mailto:sparky@bluefang-logic.com" class="">sparky@bluefang-logic.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
First off, I have to say that I do like the new UI, regardless of
the impetus for the change.<br class="">
<br class="">
However, I'm also not entirely sold that this has a strong impact on
user security. I doubt the practicality of such an attack, since you
would have to reasonably match:<br class="">
<br class="">
* The OS native theme.<br class="">
* The browsers chrome elements and theme.<br class="">
* Basic browser chrome functionality and behavior.<br class="">
* Have the user overlook that the browser just flipped out when
visiting a site or clicking a link.<br class="">
<br class="">
Fortunately for the user, the first two aspects are incredibly easy
to change. For example, when I tried the proof of concept, my
browser theme went from light grey to dark gray and all of the
toolbars - and their contents - changed. If a malicious site is able
to accurately capture the state of, and reproduce, the desktop and
browser chrome, I'd say that is a much more serious issue than
triggering full screen.<br class="">
<br class="">
For me, the biggest issue with this attack is getting the user to
ignore the browser spontaneously maximizing/full screening, witch is
rather jarring. I expect most users will only intentionally enter
full screen when playing a game or watching a video, so having the
browser do it on it's own would hopefully be enough of a red flag.
But if you can get the user to ignore that, then they're probably
also going to ignore, or be oblivious to the full screen
notification.<br class="">
<br class="">
I will grant that there is a large number of users that do not make
cosmetic changes to their OS or Firefox, so they would be much more
susceptible to an attack like this. But these user are also not
likely to want a knob to turn off the notification.<br class="">
<br class="">
So, implementing a option, per site or globally, to turn off this
nag doesn't seem like an entirely unreasonable request. I know I
certainly would turn it off.<br class="">
<br class="">
<div class="moz-cite-prefix">On 08/16/2015 11:53 PM, Eric Rescorla
wrote:<br class="">
</div>
<blockquote cite="mid:CABcZeBNqXZCgdB=DK4U04hwsLkYrMd+twmf765SK69zmjT0Axg@mail.gmail.com" type="cite" class="">
<div dir="ltr" class=""><br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sun, Aug 16, 2015 at 8:07 PM, Eric
Shepherd <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:eshepherd@mozilla.com" target="_blank" class="">eshepherd@mozilla.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto" class="">
<div class="">I have to agree with Gavin here: the risk of this
sort of attack occurring is very low,</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Do you have some evidence for this?</div>
<div class=""><br class="">
</div>
<div class="">-Ekr</div>
<div class=""> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto" class="">
<div class=""> but the potential for annoying or confusing users
with this presentation is, if not high, at least high
enough to make it overkill. At least having a way
(even if it's an <a class="moz-txt-link-freetext" href="about:config">about:config</a> only thing) to drop this
reminder once you have it through your head, would be
helpful.</div>
<div class=""><br class="">
</div>
<div class="">Or what if we add a checkbox "don't show this
again" BUT only after, say, ten times displayed. That
way you can be sure they have seen the warning. Then
when they opt to stop showing it, have a confirmation
dialog remind them of the risk. From then on, they
don't get the reminder.</div>
<div class=""><span class="HOEnZb"><font color="#888888" class=""><br class="">
<div class="">Eric Shepherd</div>
Sr. Technical Writer
<div class="">Mozilla</div>
</font></span><span class="">
<div class="">Blog: <a moz-do-not-send="true" href="http://www.bitstampede.com/" target="_blank" class="">http://www.bitstampede.com/</a></div>
<div class="">Twitter: <a moz-do-not-send="true" href="http://twitter.com/sheppy" target="_blank" class="">http://twitter.com/sheppy</a></div>
</span></div>
<div class="">
<div class="h5">
<div class=""><br class="">
On Aug 16, 2015, at 9:38 PM, Gavin Sharp <<a moz-do-not-send="true" href="mailto:gavin@gavinsharp.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:gavin@gavinsharp.com">gavin@gavinsharp.com</a>>
wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="">I'm not making any statement as asinine
as "there's no point worrying about
security", and it's frustrating that that's
something I would even have to clarify.<br class="">
<br class="">
Richard stated he thought the current
solution had a "small price" and I disagreed
with him.<br class="">
<br class="">
</div>
<div class="">This boils down to a classic
security/usability tradeoff. Those tradeoffs
are ultimately matters of opinion, not fact,
and need to be made by estimating what is
likely in addition to understanding what is
possible.<br class="">
<br class="">
</div>
<div class="">None of us are the product owners
responsible for making that tradeoff, so
having stated my opinion I'll defer to them.<br class="">
</div>
<div class=""><br class="">
</div>
Gavin<br class="">
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sun, Aug 16, 2015
at 6:16 PM, Chris Hofmann <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:chofmann@mozilla.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:chofmann@mozilla.com">chofmann@mozilla.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr" class=""><br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote"><span class="">On Sun,
Aug 16, 2015 at 5:52 PM, Eric
Rescorla <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:ekr@rtfm.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:ekr@rtfm.com">ekr@rtfm.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr" class=""><br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote"><span class="">On
Sun, Aug 16, 2015 at
5:49 PM, Gavin Sharp <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:gavin@gavinsharp.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:gavin@gavinsharp.com">gavin@gavinsharp.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"><span class="">>
But a 2-3 second box
for each fullscreen
transition seems
like a<br class="">
> small price.<br class="">
<br class="">
</span>Seems like a
pretty large price to
me, given a
combination of
factors:<br class="">
- significant added
friction to a common
user action ("start
watching<br class="">
this video in
fullscreen")<br class="">
- low likelihood that
the type of attack
this mitigates
("fullscreen<br class="">
spoofing") is
successful even
without any
mitigation, and the<br class="">
relatively high
cost/benefit ratio for
such an attack<br class="">
</blockquote>
</span></div>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
</span>
<div class="">Not sure if I understand the
point you are trying to make with
this and the next item below.<br class="">
<br class="">
</div>
<div class="">Are you saying that there is
high cost to building such an
attack and low benefit to the
attacker?<br class="">
<br class="">
</div>
<div class="">Are you suggesting that a small
level of defense is worthless to
its better to just get rid of all
the defenses?<br class="">
<br class="">
</div>
<div class="">Good reading from a few years
ago, with the proof of concept to
go along with it.<br class="">
<a moz-do-not-send="true" href="http://feross.org/html5-fullscreen-api-attack/" target="_blank" class="">http://feross.org/html5-fullscreen-api-attack/</a><br class="">
<br class="">
</div>
<div class="">The "full screen browser mode"
to "full screen video" is an
interesting scenario.<br class="">
<br class="">
</div>
<div class="">What's the likelihood of
increased targeted attacks against
firefox it we remove or reduce the
defenses? <br class="">
<br class="">
</div>
<div class="">-chofmann<br class="">
</div>
<div class="">
<div class="">
<div class=""><br class="">
<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr" class="">
<div class="gmail_extra">
<div class="gmail_quote"><span class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
- low likelihood
that it usefully
mitigates a
sophisticated attack
of this sort<br class="">
</blockquote>
<div class=""><br class="">
</div>
</span>
<div class="">Can you please
point to some
supporting
documentation for
these claims?</div>
<div class=""><br class="">
</div>
<div class="">-Ekr</div>
<div class="">
<div class="">
<div class=""><br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
- low rate of
abuse of
pre-existing
equivalent
functionality
(e.g.<br class="">
Flash's
fullscreen)</blockquote>
<div class=""><br class="">
</div>
<div class=""> </div>
<blockquote class="gmail_quote" style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"> <br class="">
</blockquote>
<blockquote class="gmail_quote" style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
Gavin<br class="">
<div class="">
<div class=""><br class="">
On Sun, Aug
16, 2015 at
12:15 PM,
Richard Barnes
<<a moz-do-not-send="true" href="mailto:rbarnes@mozilla.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:rbarnes@mozilla.com">rbarnes@mozilla.com</a>>
wrote:<br class="">
> This
prompt is an
important part
of the
security story
for
fullscreen.<br class="">
> Since a
fullscreen web
app can hijack
your entire
browsing
session, it's<br class="">
> important
that the user
know that he's
entering
fullscreen and
not looking<br class="">
> at an
actual browser
window -- and
to know that
every time
something goes<br class="">
>
fullscreen.
So if we're
going to back
off of
displaying the
prompt every<br class="">
> time, we
need to be
clear that
we're assuming
that the user
can make this<br class="">
>
distinction.<br class="">
><br class="">
> That
honestly seems
like a bad
deal to me.
If the prompt
stays up (as<br class="">
> Brian
mentions),
that's a bug
and we should
fix it. But a
2-3 second box<br class="">
> for each
fullscreen
transition
seems like a
small price.<br class="">
><br class="">
> --Richard<br class="">
><br class="">
> On Sat,
Aug 15, 2015
at 9:55 AM,
Brian Smith
<<a moz-do-not-send="true" href="mailto:brian@briansmith.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:brian@briansmith.org">brian@briansmith.org</a>>
wrote:<br class="">
><br class="">
>> IIUC,
the reminder
is supposed to
go away after
a few seconds.
However, I<br class="">
>> have
experienced
the case, many
times, where
the reminder
stays on
screen<br class="">
>> for
the entire
video. IIRC,
if I restart
the browser
and replay the
same<br class="">
>> video
again, then
the reminder
goes away.<br class="">
>><br class="">
>> HTH,<br class="">
>> Brian<br class="">
>><br class="">
>> On
Sat, Aug 15,
2015 at 12:17
AM, Jared Wein
<<a moz-do-not-send="true" href="mailto:jaws@mozilla.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:jaws@mozilla.com">jaws@mozilla.com</a>>
wrote:<br class="">
>><br class="">
>> >
Including
dev-media and
dev-security.<br class="">
>> ><br class="">
>> >
On Fri, Aug
14, 2015 at
11:53 PM, Eric
Shepherd <<a moz-do-not-send="true" href="mailto:eshepherd@mozilla.com" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:eshepherd@mozilla.com">eshepherd@mozilla.com</a>><br class="">
>> >
wrote:<br class="">
>> ><br class="">
>> >
> Chris
wrote:<br class="">
>> >
><br class="">
>> >
> After
quite a while
of watching
HTML 5 video
content in
fullscreen,
I'm<br class="">
>> >
> getting a
bit tired of
being reminded
with a huge
banner at the
top<br class="">
>> that<br class="">
>> >
> yes, I
can still hit
ESC to exit
fullscreen
mode. For
those like
myself<br class="">
>> >
> that have
gotten tired
of seeing this
message, could
there possibly
be<br class="">
>> an<br class="">
>> >
> option
somewhere
(maybe in
<a class="moz-txt-link-freetext" href="about:config">about:config</a>)
that allows
the user to
turn<br class="">
>> >
them<br class="">
>> >
> off? It's
been years
now. What do
you think?<br class="">
>> >
><br class="">
>> >
> OMG yes
please. I know
how to get out
of full screen
mode. Make the<br class="">
>> >
> reminders
stop! :)<br class="">
>> >
><br class="">
>> >
> --<br class="">
>> >
><br class="">
>> >
> Eric
Shepherd<br class="">
>> >
> Senior
Technical
Writer<br class="">
>> >
> Mozilla
<<a moz-do-not-send="true" href="https://www.mozilla.org/" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://www.mozilla.org/">https://www.mozilla.org/</a>><br class="">
>> >
> Blog: <a moz-do-not-send="true" href="http://www.bitstampede.com/" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="http://www.bitstampede.com/">http://www.bitstampede.com/</a><br class="">
>> >
> Twitter:
<a moz-do-not-send="true" href="http://twitter.com/sheppy" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="http://twitter.com/sheppy">http://twitter.com/sheppy</a><br class="">
>> >
> Check my
Availability
<<a moz-do-not-send="true" href="https://freebusy.io/eshepherd@mozilla.com" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://freebusy.io/eshepherd@mozilla.com">https://freebusy.io/eshepherd@mozilla.com</a>><br class="">
>> >
><br class="">
>> >
>
_______________________________________________<br class="">
>> >
>
firefox-dev
mailing list<br class="">
>> >
> <a moz-do-not-send="true" href="mailto:firefox-dev@mozilla.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br class="">
>> >
> <a moz-do-not-send="true" href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a><br class="">
>> >
><br class="">
>> >
><br class="">
>> >
_______________________________________________<br class="">
>> >
dev-security
mailing list<br class="">
>> >
<a moz-do-not-send="true" href="mailto:dev-security@lists.mozilla.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a><br class="">
>> >
<a moz-do-not-send="true" href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-security">https://lists.mozilla.org/listinfo/dev-security</a><br class="">
>> ><br class="">
>><br class="">
>><br class="">
>><br class="">
>> --<br class="">
>> <a moz-do-not-send="true" href="https://briansmith.org/" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://briansmith.org/">https://briansmith.org/</a><br class="">
>>
_______________________________________________<br class="">
>>
dev-security
mailing list<br class="">
>> <a moz-do-not-send="true" href="mailto:dev-security@lists.mozilla.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:dev-security@lists.mozilla.org">dev-security@lists.mozilla.org</a><br class="">
>> <a moz-do-not-send="true" href="https://lists.mozilla.org/listinfo/dev-security" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-security">https://lists.mozilla.org/listinfo/dev-security</a><br class="">
>><br class="">
</div>
</div>
>
_______________________________________________<br class="">
> dev-media
mailing list<br class="">
> <a moz-do-not-send="true" href="mailto:dev-media@lists.mozilla.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:dev-media@lists.mozilla.org">dev-media@lists.mozilla.org</a><br class="">
> <a moz-do-not-send="true" href="https://lists.mozilla.org/listinfo/dev-media" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-media">https://lists.mozilla.org/listinfo/dev-media</a><br class="">
<div class="">
<div class="">_______________________________________________<br class="">
firefox-dev
mailing list<br class="">
<a moz-do-not-send="true" href="mailto:firefox-dev@mozilla.org" target="_blank" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br class="">
<a moz-do-not-send="true" href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank" class=""></a><a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a><br class="">
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br class="">
</div>
</div>
<br class="">
_______________________________________________<br class="">
firefox-dev mailing list<br class="">
<a moz-do-not-send="true" href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class="">
<a moz-do-not-send="true" href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a><br class="">
<br class="">
</blockquote>
</div>
</div>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
firefox-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
Bluefang-Logic Networks:
Scaled for your pleasure.</pre>
</div>
_______________________________________________<br class="">firefox-dev mailing list<br class=""><a href="mailto:firefox-dev@mozilla.org" class="">firefox-dev@mozilla.org</a><br class="">https://mail.mozilla.org/listinfo/firefox-dev<br class=""></div></blockquote></div><br class=""></div></div></body></html>