Last Comment Bug 700679 - Show warning on alpha-numeric key input when in full screen mode to prevent phishing
: Show warning on alpha-numeric key input when in full screen mode to prevent p...
Status: VERIFIED FIXED
:
Product: Firefox for Android
Classification: Client Software
Component: General (show other bugs)
: unspecified
: All Android
: P3 normal (vote)
: ---
Assigned To: :Margaret Leibovic
:
Mentors:
Depends on: 688082
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-08 08:48 PST by :Margaret Leibovic
Modified: 2016-07-29 14:20 PDT (History)
6 users (show)
adriant.mozilla: in‑moztrap+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
11+


Attachments
patch (1.88 KB, patch)
2011-11-14 16:13 PST, :Margaret Leibovic
mark.finkle: review+
cpearce: feedback+
Details | Diff | Splinter Review

Description :Margaret Leibovic 2011-11-08 08:48:12 PST
Follow up from bug 688082 comment 10:

On desktop we also show the warning whenever there's alpha-numeric key input as a safeguard against password phishing. I guess it makes sense to show the warning on text input on mobile too; the bad guys could still fake the fennec UI going to paypal.com or whatever and phish for passwords.
Comment 1 :Margaret Leibovic 2011-11-14 16:13:58 PST
Created attachment 574470 [details] [diff] [review]
patch

Following the logic for desktop, it looks like we just need to listen for the MozShowFullScreenWarning event. Chris, is this the right idea?

Also, I couldn't figure out how to test this without a hard keyboard, so I'll probably have to ask someone with a different phone to test.
Comment 2 Chris Pearce (:cpearce) 2011-11-14 16:44:03 PST
Comment on attachment 574470 [details] [diff] [review]
patch

Yup, that's the idea. If there are android specific key code that you want whitelisted (like volume change perhaps?) you can add them to the whitelist in IsFullScreenAndRestrictedKeyEvent() in nsPresShell.cpp.
Comment 3 :Margaret Leibovic 2011-11-15 10:50:37 PST
Comment on attachment 574470 [details] [diff] [review]
patch

Can I just ask someone from QA to verify that this works with a hard keyboard?
Comment 4 :Margaret Leibovic 2011-11-15 12:32:57 PST
https://hg.mozilla.org/projects/birch/rev/27537ee9995f
Comment 5 Aaron Train [:aaronmt] 2011-11-16 06:33:27 PST
(In reply to Margaret Leibovic [:margaret] from comment #3)
> Comment on attachment 574470 [details] [diff] [review] [diff] [details] [review]
> patch
> 
> Can I just ask someone from QA to verify that this works with a hard
> keyboard?

Which site?
Comment 6 Mark Finkle (:mfinkle) (use needinfo?) 2011-11-16 06:49:57 PST
(In reply to Aaron Train [:aaronmt] from comment #5)

> > Can I just ask someone from QA to verify that this works with a hard
> > keyboard?
> 
> Which site?

http://pearce.org.nz/full-screen/

Any site that causes the full-screen mode to appear. Using "full screen" on a video should work too.
Comment 7 Carla Nadastean 2011-12-09 06:46:16 PST
Retested with:
Mozilla/5.0 (Android; Linux armv7l; rv:11.0a1) Gecko/20111209 Firefox/11.0a1 Fennec/11.0a1
Device: HTC Desire Z (Android 2.3)

Warning "Press back to leave full-screen mode" is displayed when full screen is requested using HKb.

Verifying bug.
Comment 8 Emil Tamas 2012-04-10 02:46:08 PDT
Can you please reconsider this behavior? 

It is severely limiting the use cases where this feature is useful. For instance, it is now completely unpractical to build a "zen mode" text editor or any HTML app that involves a distraction free UI. Games are a also a good example. Most gamers are using the "w" "a" "s" "d" "x" key combos to navigate, not the arrow keys.

Chrome has done a good job about not being obtrusive with this behavior and real life usage proved their approach is the right one for the end user, without posing security risks.

A permission/whitelist based approach would definitely be more useful than nagging the user on each alphanumeric keypress.
Comment 9 :Margaret Leibovic 2012-04-10 07:46:51 PDT
(In reply to Emil Tamas from comment #8)
> Can you please reconsider this behavior? 
> 
> It is severely limiting the use cases where this feature is useful. For
> instance, it is now completely unpractical to build a "zen mode" text editor
> or any HTML app that involves a distraction free UI. Games are a also a good
> example. Most gamers are using the "w" "a" "s" "d" "x" key combos to
> navigate, not the arrow keys.
> 
> Chrome has done a good job about not being obtrusive with this behavior and
> real life usage proved their approach is the right one for the end user,
> without posing security risks.
> 
> A permission/whitelist based approach would definitely be more useful than
> nagging the user on each alphanumeric keypress.

Thanks for your input. After a bug had been marked fixed, we like to continue work in new bugs. Could you file a new bug that describes the approach you would like us to take? If you cc me I'll make sure the appropriate UX folks get included.
Comment 10 Adrian Tamas (:AdrianT) 2012-09-04 02:13:09 PDT
Test case created in the Full Functional Tests testsuite in MozTrap:
https://moztrap.mozilla.org/manage/cases/_detail/6341/

Note You need to log in before you can comment on or make changes to this bug.