> But a 2-3 second box for each fullscreen transition seems like a
> small price.
Seems like a pretty large price to me, given a combination of factors:
- significant added friction to a common user action ("start watching
this video in fullscreen")
- low likelihood that the type of attack this mitigates ("fullscreen
spoofing") is successful even without any mitigation, and the
relatively high cost/benefit ratio for such an attack
- low likelihood that it usefully mitigates a sophisticated attack of this sort
- low rate of abuse of pre-existing equivalent functionality (e.g.
Flash's fullscreen)
Gavin
On Sun, Aug 16, 2015 at 12:15 PM, Richard Barnes <rbar...@mozilla.com> wrote:
> This prompt is an important part of the security story for fullscreen.
> Since a fullscreen web app can hijack your entire browsing session, it's
> important that the user know that he's entering fullscreen and not looking
> at an actual browser window -- and to know that every time something goes
> fullscreen. So if we're going to back off of displaying the prompt every
> time, we need to be clear that we're assuming that the user can make this
> distinction.
>
> That honestly seems like a bad deal to me. If the prompt stays up (as
> Brian mentions), that's a bug and we should fix it. But a 2-3 second box
> for each fullscreen transition seems like a small price.
>
> --Richard
>
> On Sat, Aug 15, 2015 at 9:55 AM, Brian Smith <br...@briansmith.org> wrote:
>
>> IIUC, the reminder is supposed to go away after a few seconds. However, I
>> have experienced the case, many times, where the reminder stays on screen
>> for the entire video. IIRC, if I restart the browser and replay the same
>> video again, then the reminder goes away.
>>
>> HTH,
>> Brian
>>
>> On Sat, Aug 15, 2015 at 12:17 AM, Jared Wein <j...@mozilla.com> wrote:
>>
>> > Including dev-media and dev-security.
>> >
>> > On Fri, Aug 14, 2015 at 11:53 PM, Eric Shepherd <esheph...@mozilla.com>
>> > wrote:
>> >
>> > > Chris wrote:
>> > >
>> > > After quite a while of watching HTML 5 video content in fullscreen, I'm
>> > > getting a bit tired of being reminded with a huge banner at the top
>> that
>> > > yes, I can still hit ESC to exit fullscreen mode. For those like myself
>> > > that have gotten tired of seeing this message, could there possibly be
>> an
>> > > option somewhere (maybe in about:config) that allows the user to turn
>> > them
>> > > off? It's been years now. What do you think?
>> > >
>> > > OMG yes please. I know how to get out of full screen mode. Make the
>> > > reminders stop! :)
>> > >
>> > > --
>> > >
>> > > Eric Shepherd
>> > > Senior Technical Writer
>> > > Mozilla <https://www.mozilla.org/>
>> > > Blog: http://www.bitstampede.com/
>> > > Twitter: http://twitter.com/sheppy
>> > > Check my Availability <https://freebusy.io/esheph...@mozilla.com>
>> > >
>> > > _______________________________________________
>> > > firefox-dev mailing list
>> > > firefox-...@mozilla.org
>> > > https://mail.mozilla.org/listinfo/firefox-dev
>> > >
>> > >
>> > _______________________________________________
>> > dev-security mailing list
>> > dev-secur...@lists.mozilla.org
>> > https://lists.mozilla.org/listinfo/dev-security
>> >
>>
>>
>>
>> --
>> https://briansmith.org/
>> _______________________________________________
>> dev-security mailing list
>> dev-secur...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security
>>
> _______________________________________________
> dev-media mailing list
> dev-media@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-media
_______________________________________________
dev-media mailing list
dev-media@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-media
