Open Bug 1196588 Opened 5 years ago Updated 2 years ago

The fullscreen reminder shows up every time that you switch to Firefox

Categories

(Firefox :: General, defect)

43 Branch
defect
Not set

Tracking

()

People

(Reporter: ehsan, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome, parity-edge)

STR:

(This in on OS X, mentioning in case this is platform specific.)

1. Make a youtube video fullscreen.
2. Wait for the reminder to go away, and switch to another app using Cmd+Tab.
3. Switch back to Firefox.

The reminder shows up again.

This is extremely bad especially since it happens when you switch desktops, which means that it happens every time that you go back to the Firefox desktop.
This is not platform specific. This behavior exists on all desktop platforms.

I think this is by design for security concerns that the content may spoof the desktop or browser chrome when the focus returns to Firefox.

Probably see some discussion in bug 724554.

We definitely should check this kind of proposal with security guys.
Component: Audio/Video → General
Product: Core → Firefox
Daniel, do you know who from the security team would be the right person for this?  Thanks!
Flags: needinfo?(dveditz)
Situations like this are tough -- the current UI is needlessly annoying to users of nice sites which aren't trying to hack them, but there sure are sites out there that are not nice and the user isn't always the best judge.

Can fullscreen sites which lose focus force the user back by calling .focus() or similar? Could it open a new tab/window that is on top of the fullscreen, switch the fullscreen image to look like a browser on the desktop and then close the window that's on top?

If we know the user is sitting there and actively causing the shift back to the fullscreen window then a 4-second overlay is annoying overkill, but some transition or small overlay would be helpful. If it's possible for the page to cause the fullscreen to come to the top without user interaction then we could be in trouble.

(In reply to Ehsan Akhgari (don't ask for review please) from comment #2)
> Daniel, do you know who from the security team would be the right person for
> this?  Thanks!

Richard and Tanvi have both looked at the fullscreen issue in the past
Flags: needinfo?(tanvi)
Flags: needinfo?(rlb)
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Situations like this are tough -- the current UI is needlessly annoying to
> users of nice sites which aren't trying to hack them, but there sure are
> sites out there that are not nice and the user isn't always the best judge.

Please note that this has regressed in the new full screen UI.  We did not show this again and again in the old UI, and AFAICT the same attack vectors that existed previously exist now as well.

> Can fullscreen sites which lose focus force the user back by calling
> .focus() or similar?

Hmm, not sure.  IIRC we had some protections against that.

> Could it open a new tab/window that is on top of the
> fullscreen, switch the fullscreen image to look like a browser on the
> desktop and then close the window that's on top?

No, if you open a new tab/window, you'd leave full screen mode.

> If we know the user is sitting there and actively causing the shift back to
> the fullscreen window then a 4-second overlay is annoying overkill, but some
> transition or small overlay would be helpful. If it's possible for the page
> to cause the fullscreen to come to the top without user interaction then we
> could be in trouble.

That is not possible AFAIK.
Keywords: regression
Assume the user switches screens to another Desktop.  The fullscreen webpage changes it's content to look like a browser.  The Desktop switches back screens and forgets that they are in fullscreen mode.  They interact with the webpage as if it was the browser.

Same situation when switching between other fullscreen applications.  If the website can tell when it is out of focus, they know when to switch their UI.

Maybe we can change this to a secondary reminder that is smaller and quicker?
Flags: needinfo?(tanvi)
(In reply to Ehsan Akhgari (don't ask for review please) from comment #4)
> (In reply to Daniel Veditz [:dveditz] from comment #3)
> > Situations like this are tough -- the current UI is needlessly annoying to
> > users of nice sites which aren't trying to hack them, but there sure are
> > sites out there that are not nice and the user isn't always the best judge.
> 
> Please note that this has regressed in the new full screen UI.  We did not
> show this again and again in the old UI, and AFAICT the same attack vectors
> that existed previously exist now as well.

No, it's not. This was initially implemented in bug 724554. Before that bug, we always exit fullscreen when we lose the focus.

> > Could it open a new tab/window that is on top of the
> > fullscreen, switch the fullscreen image to look like a browser on the
> > desktop and then close the window that's on top?
> 
> No, if you open a new tab/window, you'd leave full screen mode.

Opening new window doesn't exit fullscreen, but opening new tab does.
Keywords: regression
(In reply to Tanvi Vyas [:tanvi] from comment #5)
> Assume the user switches screens to another Desktop.  The fullscreen webpage
> changes it's content to look like a browser.  The Desktop switches back
> screens and forgets that they are in fullscreen mode.  They interact with
> the webpage as if it was the browser.

Sure, but that risk has always existed.  I'm curious to know what changed that caused us to worry about it now?

Also, how is the current protection considered to be enough?  If we want to protect against attacks such as <http://feross.org/html5-fullscreen-api-attack/>, is it not entirely possible for the full screen content to simulate the browser going out of full screen and render UI that looks like the browser as the user is looking at the page?

> Same situation when switching between other fullscreen applications.  If the
> website can tell when it is out of focus, they know when to switch their UI.
> 
> Maybe we can change this to a secondary reminder that is smaller and quicker?

Well, any additional nagging is more annoying than what we do on Firefox release right now, and it would put us at a disadvantage against other browsers.  But sure, if we absolutely must do this, making it less annoying would be better than the current situation.  :/
(In reply to Xidorn Quan [:xidorn] (UTC+12) from comment #6)
> (In reply to Ehsan Akhgari (don't ask for review please) from comment #4)
> > (In reply to Daniel Veditz [:dveditz] from comment #3)
> > > Situations like this are tough -- the current UI is needlessly annoying to
> > > users of nice sites which aren't trying to hack them, but there sure are
> > > sites out there that are not nice and the user isn't always the best judge.
> > 
> > Please note that this has regressed in the new full screen UI.  We did not
> > show this again and again in the old UI, and AFAICT the same attack vectors
> > that existed previously exist now as well.
> 
> No, it's not. This was initially implemented in bug 724554. Before that bug,
> we always exit fullscreen when we lose the focus.

I'm puzzled.  I am testing this on Nightly vs Firefox 40.  On Nightly, we show the fullscreen reminder every time I switch back to the fullscreen window.  On 40, we don't.  What am I missing?

> > > Could it open a new tab/window that is on top of the
> > > fullscreen, switch the fullscreen image to look like a browser on the
> > > desktop and then close the window that's on top?
> > 
> > No, if you open a new tab/window, you'd leave full screen mode.
> 
> Opening new window doesn't exit fullscreen, but opening new tab does.

I meant if the page opens a new tab/window (for example using window.open).  If the user opens a new window, we don't leave the full screen mode, but I think comment 3 was talking about the things that a bad page can do, not the things that a user can do.
(In reply to Ehsan Akhgari (don't ask for review please) from comment #8)
> (In reply to Xidorn Quan [:xidorn] (UTC+12) from comment #6)
> > No, it's not. This was initially implemented in bug 724554. Before that bug,
> > we always exit fullscreen when we lose the focus.
> 
> I'm puzzled.  I am testing this on Nightly vs Firefox 40.  On Nightly, we
> show the fullscreen reminder every time I switch back to the fullscreen
> window.  On 40, we don't.  What am I missing?

Probably you should try Firefox 40 on platforms other than Mac, or try Firefox 41. It seems on Mac, before bug 1105939 when we were still using the native fullscreen mode for Fullscreen API, it doesn't trigger `activate` event when we switch back to the window. This is probably a vulnerability we didn't notice before.

> > Opening new window doesn't exit fullscreen, but opening new tab does.
> 
> I meant if the page opens a new tab/window (for example using window.open). 
> If the user opens a new window, we don't leave the full screen mode, but I
> think comment 3 was talking about the things that a bad page can do, not the
> things that a user can do.

Yes, I was talking about what the page does as well. If a page uses window.open() with width and height set, it opens a new window without exiting fullscreen in the original page. If it doesn't set width and height, that would exit fullscreen because of tab switching (not because of opening new tab itself).

There is one more Mac-specific bug that, when a window is fullscreen, new window is always opened in a new tab, no matter whether it has width/height set. This bug may make page always exit fullscreen when calling window.open(). I need some investigation for fixing that.
So given this is not a regression, and was there because of security consideration, can we close this bug now?
Flags: needinfo?(rlb)
(In reply to Xidorn Quan [:xidorn] (UTC+12) from comment #10)
> So given this is not a regression, and was there because of security
> consideration, can we close this bug now?

Do we want to consider changing the UI for the secondary reminder to make it smaller?  We could close this bug and create a new bug for that.
(In reply to Tanvi Vyas [:tanvi] from comment #11)
> (In reply to Xidorn Quan [:xidorn] (UTC+12) from comment #10)
> > So given this is not a regression, and was there because of security
> > consideration, can we close this bug now?
> 
> Do we want to consider changing the UI for the secondary reminder to make it
> smaller?  We could close this bug and create a new bug for that.

That would be a question for Verdi.
Flags: needinfo?(mverdi)
I agree with Ehsan that this behavior is annoying. I also think, even though it's not a regression, it's unnecessary. FWIW, neither Chrome nor Edge does this.

You've gone into full screen by your own action - I don't think we need to remind you of that. If we did we'd probably also need to remind you at some regular interval of time (every 5 min?, every 2 min?) since you could have walked away from your computer and then come back.
Flags: needinfo?(mverdi)
(In reply to Verdi [:verdi] from comment #13)
> You've gone into full screen by your own action - I don't think we need to
> remind you of that. If we did we'd probably also need to remind you at some
> regular interval of time (every 5 min?, every 2 min?) since you could have
> walked away from your computer and then come back.

That's different. The content knows exactly when it loses the focus, but it doesn't know when the user leaves, unless it can also access the camera or at least microphone.
(In reply to Xidorn Quan [:xidorn] (UTC+8) from comment #14)
> (In reply to Verdi [:verdi] from comment #13)
> > You've gone into full screen by your own action - I don't think we need to
> > remind you of that. If we did we'd probably also need to remind you at some
> > regular interval of time (every 5 min?, every 2 min?) since you could have
> > walked away from your computer and then come back.
> 
> That's different. The content knows exactly when it loses the focus, but it
> doesn't know when the user leaves, unless it can also access the camera or
> at least microphone.

Sorry I didn't mean that example as a direct parallel - only that this behavior is similarly annoying and babysitter-ish. I'm saying that even though we decided in Bug 724554 to add the notification when you refocus Firefox, I think we should remove that now. In the past we had a different, more onerous, model for going full screen. We're now implementing a new, less onerous model and not showing the notification is consistent with that. Like I said in the previous comment, the user has gone into full screen on their own action and we've shown them a notification and a transition to make things clear. We don't need to keep reminding them that they are in full screen.
I don't have any preference. Removing that from code is easy, but I need a security approval anyway.

:tanvi, do you agree with removing that given comment 13 and comment 15?
Flags: needinfo?(tanvi)
Of course the choice doesn't have to be the current notification or nothing. A refocus reminder would be much less annoying in several different forms
 * start ON the page -- no need to "slide in". (if there's a lag showing it then maybe fade in)
 * doesn't need to stick around as long (2 seconds max including transitions, maybe 1.5s)
 * fading out would be less annoying than sliding out.

Since the user is taking the action to switch screens (and knows that's what they're doing) it doesn't have to be as eye-catching as the initial full-screen action which the user might not realize they were doing and needs time to read (since it could be a framed origin).

I don't really care so much when a user switches to a completely different app and comes back. The fullscreen content /might/ be malicious, but that's a level of attacker patience we don't usually see.

I do care if the fullscreen page can open a new window on top of itself, and then close that window (or wait for the user to close it) to reveal what looks like a non-fullscreen window that's really fullscreen. Currently that can't happen on mac (due to the bug mentioned in comment 9), but it sounds like that bug will be fixed.
  * if we make it so any opening of popups exits fullscreen (as on mac) then we
    don't need the notice when switching back to fullscreen.
  * if you allow a fullscreen page to cover itself with a popup (which could
    include giving focus to a popup it's already opened) then we need the notice
See Dan's comment above.  I think we should make the secondary UI less annoying instead of removing it completely.
Flags: needinfo?(tanvi)
Why not just make it impossible for a fullscreen page to open a popup covering itself on all platforms?  Then according to comment 17 we can get rid of the secondary UI completely.
How do you plan to do that? One foolproof way is to make it so the fullscreen page is always on top of all other Firefox windows, but I'm pretty sure that will annoy users worse than the repeated warning. At least I know I sometimes work on bugs while listening to a conference video in the background--fullscreen so I can read the slides--and I switch back occasionally to see the new slides. I would hate to have to keep making the video fullscreen every time I switch.

At some point we seem to have fixed the pop-under tricks I knew -- I've had no luck (on a mac) getting a window to come up in front of the fullscreen one except by using OS window/app switching mechanisms (tab switching exits fullscreen, but window switching doesn't). If we can make the other platforms do that (but note the mac behavior is considered a "bug" in comment 9) it could be OK.

Web content can also launch external apps by trying to open something with an externally-handled scheme or mime-type in an iframe (if they navigate to it they get dumped out of fullscreen). The page could use the distraction of this action (whether or not the user actually launches the other program, we usually put up a dialog) to appear to transition out of fullscreen.

I'm not confident we can think of all these cases, it really would be safest to come up with a less-annoying notification and then just do it all the time.
(In reply to Daniel Veditz [:dveditz] from comment #20)
> How do you plan to do that? One foolproof way is to make it so the
> fullscreen page is always on top of all other Firefox windows, but I'm
> pretty sure that will annoy users worse than the repeated warning. At least
> I know I sometimes work on bugs while listening to a conference video in the
> background--fullscreen so I can read the slides--and I switch back
> occasionally to see the new slides. I would hate to have to keep making the
> video fullscreen every time I switch.

Isn't this only about popups that the page itself can open?  If yes, then it seems very easy to transition out of full screen in all of those cases since there aren't too many of them.  If not, I guess I'm misunderstanding what you said in the last paragraph of comment 17.

> Web content can also launch external apps by trying to open something with
> an externally-handled scheme or mime-type in an iframe (if they navigate to
> it they get dumped out of fullscreen). The page could use the distraction of
> this action (whether or not the user actually launches the other program, we
> usually put up a dialog) to appear to transition out of fullscreen.

Those external apps can also be considered as popups created from the page.

> I'm not confident we can think of all these cases, it really would be safest
> to come up with a less-annoying notification and then just do it all the
> time.

The reason why I keep pushing on this is that with the set of protections that we have today, a website can just as easily spoof a transition out of full-screen like this:

* Go fullscreen.
* Wait 10 seconds or long enough for the reminder to go away.
* Spoof coming out of fullscreen because of some kind of prompt.
* Profit.

This attack will works 100% of the time, it's super reliable, it works across all browsers, and it doesn't require waiting for the user to switch away, etc.

It should be clear that there is very little that we can do to address this besides banning fullscreen altogether.  So as things stand, I think this secondary UI is just an annoyance in the face of the users trying to prevent an attack that is possible with or without it...
(In reply to Daniel Veditz [:dveditz] from comment #17)
> Of course the choice doesn't have to be the current notification or nothing.

If it's critical that people be notified then we should be sure they see it. If it's ok to not make it very noticeable then let's not have it. If you make it less noticeable, exactly the kind of people who will need it, will not see it.

Again, other browsers do not do this. 
You enter full screen by your own action and you switch apps, spaces or desktops by your own action. I don't think we need to keep reminding you what you've done.

I also feel like we are making too big of a trade off for a theoretical exploit. This has been available for years with the Flash full screen implementation but nobody uses it. I believe that's because you don't have to go through all the trouble of simulating the entire desktop environment to fool people. Here's a recent example - http://ivuroinfotech.com (Open in Internet Explorer or Edge, may already be in the Google safe browsing database).
* One way of making it less jarring is to not animate the notification when switching back to a full-screen Firefox window. Simply display it immediately.

I would of course prefer if it's not display at all when I ALT-tab back to Firefox, and as has been mentioned this is the way Chrome and Edge behaves.
OS: Unspecified → All
Hardware: Unspecified → All
Whiteboard: [parity-Chrome][parity-Edge]
Version: unspecified → 43 Branch
No longer blocks: 1209374
Duplicate of this bug: 1226181
Add this to block the track bug so that I can find it easier.
Mass bug change to replace various 'parity' whiteboard flags with the new canonical keywords. (See bug 1443764 comment 13.)
Whiteboard: [parity-Chrome][parity-Edge]
You need to log in before you can comment on or make changes to this bug.