Hi, just some email I forgot to send a while ago. Summary: Block cursor images larger than 32 pixels wide that intersect the Browser UI, by falling back to the default cursor (as if no cursor image could be loaded).
This prevents malware sites from hijacking the cursor and look as if the cursor was on top of the browser UI. See the bug for test-cases and examples. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1445844 Link to standard: N/A (this is more of an intervention) Platform coverage: All desktop platforms. Estimated target release: 67 Preference behind which this will be implemented: Two prefs control this behavior. `layout.cursor.block.enabled` controls whether we block cursors at all. `layout.cursor.block.max-size` controls the maximum size in either axis that the cursor can have without being blocked. Devtools bug: I don't think any particular devtools support is needed. web-platform-tests: Can't really test this. Do other browser engines implement this? Blink is doing the same change in https://bugs.chromium.org/p/chromium/issues/detail?id=880863. Their data estimates that 0.1% of page visits hit this, and they're going with the same cursor size of 32 (I was going initially for 64, see bug for discussion). I made sure that should any surprise come up turning this off this is trivial, but I think it's worth doing, and the change has been in Nightly for quite a while without any surprise. -- Emilio _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
