Thanks for taking a look Gijs! (In reply to :Gijs (he/him) from comment #12) > I'm... not convinced this is a particularly convincing clickjack given all the screen movement and the 500ms delay which isn't being bypassed as such (AFAICT), we're just causing clicks to go elsewhere while the popup is visible the whole time. So `sec-moderate` seems generous to me. Agreed. We did introduce the extension of the delay for clicks made during the delay. So that part is being bypassed. But that's a fairly recent addition. > If we wanted to do something we would probably extend the delay for pointer lock in the same way we did for fullscreen, or close the permission prompt when pointer lock is entered? Paul, is there any reason that wouldn't work? I've attached a patch that does this. Just like for the full screen transition, it needs to account for both pointer lock entered while the panel is open and the panel opening during pointer lock. Still need to work on a test. Probably won't be able to replicate the PoC in CI, given that I can't even reproduce the issue locally.
Bug 1876675 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thanks for taking a look Gijs! (In reply to :Gijs (he/him) from comment #12) > I'm... not convinced this is a particularly convincing clickjack given all the screen movement and the 500ms delay which isn't being bypassed as such (AFAICT), we're just causing clicks to go elsewhere while the popup is visible the whole time. So `sec-moderate` seems generous to me. Agreed. We did introduce the extension of the delay for clicks made during the delay. So that part is being bypassed. But that's a fairly recent addition. > If we wanted to do something we would probably extend the delay for pointer lock in the same way we did for fullscreen, or close the permission prompt when pointer lock is entered? Paul, is there any reason that wouldn't work? I've attached a patch that does this. Just like for the full screen transition, it needs to account for both pointer lock entered while the panel is open and the panel opening during pointer lock. Still need to work on a test. Probably won't be able to replicate the PoC in CI, given that I can't even reproduce the issue locally. Edit: we could consider duping Bug 1881846 since it uses the same mechanism.