tag:blogger.com,1999:blog-5537325711190185140.post3526648231324282121..comments2023-11-21T23:10:10.896+13:00Comments on Thundering Herd: Improved key input in fullscreen mode plus pointer lock changesChris Pearcehttp://www.blogger.com/profile/13735147508549619230noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-5537325711190185140.post-12317255685707495092012-09-05T12:04:43.895+12:002012-09-05T12:04:43.895+12:00Thanks, @Chris... You just made a SysAdmin's w...Thanks, @Chris... You just made a SysAdmin's wife very happy... and a SysAdmin feel like a user. ;-)markinflahttps://www.blogger.com/profile/10419215646240767043noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-89348455081373403602012-09-05T11:55:35.094+12:002012-09-05T11:55:35.094+12:00@markinfla: Fullscreen permissions can be changed ...@markinfla: Fullscreen permissions can be changed via: Right click, view page info, permissions, "Enter fullscreen".Chris Pearcehttps://www.blogger.com/profile/13735147508549619230noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-35733405282218997782012-09-05T11:34:02.175+12:002012-09-05T11:34:02.175+12:00If a user accidentally chooses "Deny" an...If a user accidentally chooses "Deny" and the "remember this choice" box is checked, how would they reverse this decision later? Where is the website-specific preference stored?markinflahttps://www.blogger.com/profile/10419215646240767043noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-86511963428895557402012-05-19T09:34:50.594+12:002012-05-19T09:34:50.594+12:00@Lozzy: Some banking sites require entering a pin ...@Lozzy: Some banking sites require entering a pin number using the mouse (stupid, I know) as a defence against keyloggers, so that doesn't need keyboard access to sniff.<br /><br />Another attack that doesn't require key access is popping up a spoof virus warning with a trojan download. I saw a real life example of this on my mother in law's computer actually, it's quite convincing. Fullscreen would make this look more convincing.<br /><br />Neither of those attacks require keyboard access, so fullscreen without keyboard access needs to be as secure as fullscreen with keyboard access.Chris Pearcehttps://www.blogger.com/profile/13735147508549619230noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-906980748159898212012-05-19T00:28:39.868+12:002012-05-19T00:28:39.868+12:00Yes, I suppose that if users aren't using the ...Yes, I suppose that if users aren't using the feature and developers are opting to use workarounds like Flash it will be safer :P Sorry, that was a cheap shot, but I couldn't resist the temptation.<br /><br />Making a post at some point could help explain things. There is one thing I don't fully understand which would be worth exploring. Surely the only way for an attacker to effectively phish for information is with alphanumeric input, which must be requested explicitly. Why can't we go back to the nice old implementation for everything but cases where the site requests alphanumeric input?<br /><br />While I'm apprehensive about the trend of using Google's choices to dictate Mozilla's direction I have to concede that Chromium's implementation here is much more palatable and less obnoxious than what we have at the moment. Many of the pain points I get while using Fx's fullscreen implementation don't apply while using Chromium.Lozzyhttps://www.blogger.com/profile/05198002526307638853noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-8207210719288871842012-05-17T10:37:34.351+12:002012-05-17T10:37:34.351+12:00@Lozzy: I understand that your usability concerns,...@Lozzy: I understand that your usability concerns, but any solution needs to be resistant to phishing and spoofing attacks. The best defence against these is user awareness, hence the approval UI.<br /><br />We could make fullscreen on a video element special a special case, and block all mouse and keyboard events to the video while it's fullscreen, that's probably safe enough.<br /><br />And for the record, Chrome follows the same approval UI mechanism.<br /><br />But you're right; I do have an agenda: keeping our users safe. I'll try to write up a blog post detailing my design decisions.Chris Pearcehttps://www.blogger.com/profile/13735147508549619230noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-90020546689815425982012-05-17T06:51:56.573+12:002012-05-17T06:51:56.573+12:00Like I said, I shouldn't have to do that. I do...Like I said, I shouldn't have to do that. I don't want to set a permanent exception to allow a domain when all I want to do is comfortably interact with this page on a temporary basis. I also want to avoid clicking at all, let alone twice if I can avoid it.<br /><br />Your lack of response to my other feedback concerns me too. I get the feeling you're not willing to compromise your agenda for the sake of ease of use. But I feel like you will have to be prepared to make full screen easier to use or users will find it too annoying and avoid it. I feel that would contribute to resentment of Firefox and make developers avoid native full screen by serving Firefox a Flash implementation. I don't see either of those as welcome outcomes.Lozzyhttps://www.blogger.com/profile/05198002526307638853noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-19486233111090369162012-05-16T12:05:04.945+12:002012-05-16T12:05:04.945+12:00Laurence: Why don't you opt to "remember&...Laurence: Why don't you opt to "remember" the decision to allow fullscreen? Then the warning auto-hides when re-entering fullscreen on the same domain.Chris Pearcehttps://www.blogger.com/profile/13735147508549619230noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-27953150105257647482012-05-16T11:57:56.181+12:002012-05-16T11:57:56.181+12:00After using this for a few days, I really have to ...After using this for a few days, I really have to surmise that it's immensely irritating to interact with.<br /><br />Chris, I understand your desire to prevent abuse of this feature, but I think it needs to be reconsidered to actually be acceptable for users. A couple of suggestions I would make;<br /><br />- Bring back the old, simple warning by default, and *only* use the ham-fisted approach when a site requests alphanumeric entry.<br /><br />- When I press "Allow", that choice should be remembered while the page is open. If I exit fullscreen and then re-enter, the last thing I want is to see this prompt again. I shouldn't need to allow the domain for that.<br /><br />When I just want to watch a video, I don't mind seeing a brief warning which gets out of my way quickly. I don't want a big, obnoxious notice which refuses to budge until I take action. Sorry for being blunt Chris, but this is one of the first changes to Firefox which I've found truly unpleasant.<br /><br />I imagine gamers will have similar reservations, when all they want to do is play a quick game. Overall, I just think there has to be a better way.Lozzyhttps://www.blogger.com/profile/05198002526307638853noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-77087013475406341912012-05-15T23:28:44.024+12:002012-05-15T23:28:44.024+12:00@Kevin: The rationale for the design should be the...@Kevin: The rationale for the design should be the topic of another entire blog post, I'll write that up.<br /><br />A lot of thought went into the design, and it's hard to guard against attacks while still retaining an API which is convenient for everyone to use.<br /><br />The allow/deny buttons act as a binary choice. It would be weird if only one was there.<br /><br />You'll note the "press ESC" text reads "Press ESC <i>at any time</i> to exit fullscreen". The purpose of this is to let the user know they always have a way out, no matter what happens.Chris Pearcehttps://www.blogger.com/profile/13735147508549619230noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-64702919630804594372012-05-13T01:39:17.345+12:002012-05-13T01:39:17.345+12:00FWIW, Full‐screen is a Britishism.FWIW, Full‐screen is a Britishism.johndrinkwaterhttps://www.blogger.com/profile/10764311543376091057noreply@blogger.comtag:blogger.com,1999:blog-5537325711190185140.post-78480856794979254512012-05-12T14:28:04.806+12:002012-05-12T14:28:04.806+12:00Is there an explanation anywhere for the rationale...Is there an explanation anywhere for the rationale behind this new UI? It seems very strange to throw up an allow/deny after the game has already entered fullscreen, and it looks like the 'remember this choice' defaults to off? The allow/deny buttons don't even feel like they need to exist since you're already telling them they can leave fullscreen by pressing ESC (though having a clickable button to leave full-screen makes sense, labelling it 'Deny' is a very weird choice).<br /><br />Has this been user-tested? I would expect it to produce a lot of friction with average users.Kevin Gaddhttps://www.blogger.com/profile/04689186557672996705noreply@blogger.com