Closed Bug 700679 Opened 10 years ago Closed 10 years ago

Show warning on alpha-numeric key input when in full screen mode to prevent phishing

Categories

(Firefox for Android Graveyard :: General, defect, P3)

All
Android
defect

Tracking

(firefox11 fixed, fennec11+)

VERIFIED FIXED
Tracking Status
firefox11 --- fixed
fennec 11+ ---

People

(Reporter: Margaret, Assigned: Margaret)

References

Details

Attachments

(1 file)

Follow up from bug 688082 comment 10:

On desktop we also show the warning whenever there's alpha-numeric key input as a safeguard against password phishing. I guess it makes sense to show the warning on text input on mobile too; the bad guys could still fake the fennec UI going to paypal.com or whatever and phish for passwords.
Assignee: nobody → margaret.leibovic
Priority: -- → P3
Attached patch patchSplinter Review
Following the logic for desktop, it looks like we just need to listen for the MozShowFullScreenWarning event. Chris, is this the right idea?

Also, I couldn't figure out how to test this without a hard keyboard, so I'll probably have to ask someone with a different phone to test.
Attachment #574470 - Flags: feedback?(chris)
Comment on attachment 574470 [details] [diff] [review]
patch

Yup, that's the idea. If there are android specific key code that you want whitelisted (like volume change perhaps?) you can add them to the whitelist in IsFullScreenAndRestrictedKeyEvent() in nsPresShell.cpp.
Attachment #574470 - Flags: feedback?(chris) → feedback+
Comment on attachment 574470 [details] [diff] [review]
patch

Can I just ask someone from QA to verify that this works with a hard keyboard?
Attachment #574470 - Flags: review?(mark.finkle)
Attachment #574470 - Flags: review?(mark.finkle) → review+
https://hg.mozilla.org/projects/birch/rev/27537ee9995f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
(In reply to Margaret Leibovic [:margaret] from comment #3)
> Comment on attachment 574470 [details] [diff] [review] [diff] [details] [review]
> patch
> 
> Can I just ask someone from QA to verify that this works with a hard
> keyboard?

Which site?
(In reply to Aaron Train [:aaronmt] from comment #5)

> > Can I just ask someone from QA to verify that this works with a hard
> > keyboard?
> 
> Which site?

http://pearce.org.nz/full-screen/

Any site that causes the full-screen mode to appear. Using "full screen" on a video should work too.
Flags: in-litmus?(fennec)
Whiteboard: [QA+]
Retested with:
Mozilla/5.0 (Android; Linux armv7l; rv:11.0a1) Gecko/20111209 Firefox/11.0a1 Fennec/11.0a1
Device: HTC Desire Z (Android 2.3)

Warning "Press back to leave full-screen mode" is displayed when full screen is requested using HKb.

Verifying bug.
Status: RESOLVED → VERIFIED
Whiteboard: [QA+]
tracking-fennec: --- → 11+
Can you please reconsider this behavior? 

It is severely limiting the use cases where this feature is useful. For instance, it is now completely unpractical to build a "zen mode" text editor or any HTML app that involves a distraction free UI. Games are a also a good example. Most gamers are using the "w" "a" "s" "d" "x" key combos to navigate, not the arrow keys.

Chrome has done a good job about not being obtrusive with this behavior and real life usage proved their approach is the right one for the end user, without posing security risks.

A permission/whitelist based approach would definitely be more useful than nagging the user on each alphanumeric keypress.
(In reply to Emil Tamas from comment #8)
> Can you please reconsider this behavior? 
> 
> It is severely limiting the use cases where this feature is useful. For
> instance, it is now completely unpractical to build a "zen mode" text editor
> or any HTML app that involves a distraction free UI. Games are a also a good
> example. Most gamers are using the "w" "a" "s" "d" "x" key combos to
> navigate, not the arrow keys.
> 
> Chrome has done a good job about not being obtrusive with this behavior and
> real life usage proved their approach is the right one for the end user,
> without posing security risks.
> 
> A permission/whitelist based approach would definitely be more useful than
> nagging the user on each alphanumeric keypress.

Thanks for your input. After a bug had been marked fixed, we like to continue work in new bugs. Could you file a new bug that describes the approach you would like us to take? If you cc me I'll make sure the appropriate UX folks get included.
Test case created in the Full Functional Tests testsuite in MozTrap:
https://moztrap.mozilla.org/manage/cases/_detail/6341/
Flags: in-litmus?(fennec) → in-moztrap+
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.