Thursday, 10 May 2012

Improved key input in fullscreen mode plus pointer lock changes

I've landed bug 716107 which removes the "Press ESC to exit fullscreen" warning upon alphanumeric key input in fullscreen mode.

This will mean fullscreen web apps can use the full range of keys without having the annoying warning message pop up every time the user presses an alphanumeric key, i.e. the WASD keys!

In order to make change safe, we altered the security model a bit: now when entering fullscreen we explicitly ask the user to approve/deny entering fullscreen using a modal prompt, something like this:

Fullscreen approval user interface
Fullscreen approval prompt.
The prompt has a "remember decision for $" checkbox, so if the user trusts the domain they can avoid having to approve fullscreen every time. If the user opts to "remember" an allow fullscreen decision, we'll still show a "$ entered fullscreen, press ESC to exit" warning when entering fullscreen, but it goes away after a few seconds.

Once the user has approved entering fullscreen, we won't show a warning upon alphanumeric key input.

I also landed bug 746885 which makes pointer lock wait until fullscreen has been approved using the new approval UI before granting the pointer lock request. It may take the user several seconds to approve fullscreen, so authors need to be aware that the "mozpointerlockchange" event may come in several seconds after the "mozfullscreenchange" event. Authors shouldn't assume the pointer is locked until after they've received a "mozpointerlockchange" event!

We also changed our spelling to use "fullscreen" rather than "full-screen", since everybody (including the fullscreen draft spec) was spelling it "fullscreen" anyway.

These changes are in Firefox Nightly builds from 9 May 2012 onwards, and will ship in Firefox 15, which is scheduled for release on 28 August 2012.

These changes should greatly improve the experience for HTML5 games using fullscreen and pointer lock!


Kevin Gadd said...

Is there an explanation anywhere for the rationale behind this new UI? It seems very strange to throw up an allow/deny after the game has already entered fullscreen, and it looks like the 'remember this choice' defaults to off? The allow/deny buttons don't even feel like they need to exist since you're already telling them they can leave fullscreen by pressing ESC (though having a clickable button to leave full-screen makes sense, labelling it 'Deny' is a very weird choice).

Has this been user-tested? I would expect it to produce a lot of friction with average users.

johndrinkwater said...

FWIW, Full‐screen is a Britishism.

Chris Pearce said...

@Kevin: The rationale for the design should be the topic of another entire blog post, I'll write that up.

A lot of thought went into the design, and it's hard to guard against attacks while still retaining an API which is convenient for everyone to use.

The allow/deny buttons act as a binary choice. It would be weird if only one was there.

You'll note the "press ESC" text reads "Press ESC at any time to exit fullscreen". The purpose of this is to let the user know they always have a way out, no matter what happens.

Laurence said...

After using this for a few days, I really have to surmise that it's immensely irritating to interact with.

Chris, I understand your desire to prevent abuse of this feature, but I think it needs to be reconsidered to actually be acceptable for users. A couple of suggestions I would make;

- Bring back the old, simple warning by default, and *only* use the ham-fisted approach when a site requests alphanumeric entry.

- When I press "Allow", that choice should be remembered while the page is open. If I exit fullscreen and then re-enter, the last thing I want is to see this prompt again. I shouldn't need to allow the domain for that.

When I just want to watch a video, I don't mind seeing a brief warning which gets out of my way quickly. I don't want a big, obnoxious notice which refuses to budge until I take action. Sorry for being blunt Chris, but this is one of the first changes to Firefox which I've found truly unpleasant.

I imagine gamers will have similar reservations, when all they want to do is play a quick game. Overall, I just think there has to be a better way.

Chris Pearce said...

Laurence: Why don't you opt to "remember" the decision to allow fullscreen? Then the warning auto-hides when re-entering fullscreen on the same domain.

Lozzy said...

Like I said, I shouldn't have to do that. I don't want to set a permanent exception to allow a domain when all I want to do is comfortably interact with this page on a temporary basis. I also want to avoid clicking at all, let alone twice if I can avoid it.

Your lack of response to my other feedback concerns me too. I get the feeling you're not willing to compromise your agenda for the sake of ease of use. But I feel like you will have to be prepared to make full screen easier to use or users will find it too annoying and avoid it. I feel that would contribute to resentment of Firefox and make developers avoid native full screen by serving Firefox a Flash implementation. I don't see either of those as welcome outcomes.

Chris Pearce said...

@Lozzy: I understand that your usability concerns, but any solution needs to be resistant to phishing and spoofing attacks. The best defence against these is user awareness, hence the approval UI.

We could make fullscreen on a video element special a special case, and block all mouse and keyboard events to the video while it's fullscreen, that's probably safe enough.

And for the record, Chrome follows the same approval UI mechanism.

But you're right; I do have an agenda: keeping our users safe. I'll try to write up a blog post detailing my design decisions.

Lozzy said...

Yes, I suppose that if users aren't using the feature and developers are opting to use workarounds like Flash it will be safer :P Sorry, that was a cheap shot, but I couldn't resist the temptation.

Making a post at some point could help explain things. There is one thing I don't fully understand which would be worth exploring. Surely the only way for an attacker to effectively phish for information is with alphanumeric input, which must be requested explicitly. Why can't we go back to the nice old implementation for everything but cases where the site requests alphanumeric input?

While I'm apprehensive about the trend of using Google's choices to dictate Mozilla's direction I have to concede that Chromium's implementation here is much more palatable and less obnoxious than what we have at the moment. Many of the pain points I get while using Fx's fullscreen implementation don't apply while using Chromium.

Chris Pearce said...

@Lozzy: Some banking sites require entering a pin number using the mouse (stupid, I know) as a defence against keyloggers, so that doesn't need keyboard access to sniff.

Another attack that doesn't require key access is popping up a spoof virus warning with a trojan download. I saw a real life example of this on my mother in law's computer actually, it's quite convincing. Fullscreen would make this look more convincing.

Neither of those attacks require keyboard access, so fullscreen without keyboard access needs to be as secure as fullscreen with keyboard access.

markinfla said...

If a user accidentally chooses "Deny" and the "remember this choice" box is checked, how would they reverse this decision later? Where is the website-specific preference stored?

Chris Pearce said...

@markinfla: Fullscreen permissions can be changed via: Right click, view page info, permissions, "Enter fullscreen".

markinfla said...

Thanks, @Chris... You just made a SysAdmin's wife very happy... and a SysAdmin feel like a user. ;-)