Closed
Bug 822654
Opened 12 years ago
Closed 12 years ago
SecReview: Extend Pointer Lock (Mouse Lock) for non-fullscreen elements
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: curtisk, Assigned: curtisk)
References
()
Details
(Whiteboard: [pending secreview])
Attachments
(1 file)
5.28 KB,
text/html
|
Details |
1) Who is/are the point of contact(s) for this review? 2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): 3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: 4) Does this request block another bug? If so, please indicate the bug number 5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? 6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? 7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) 7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? 7b) Are there any portions of the project that interact with 3rd party services? 7c) Will your application/service collect user data? If so, please describe 8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): 9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?(david.humphrey)
Comment 1•12 years ago
|
||
https://www.w3.org/Bugs/Public/show_bug.cgi?id=19297 looks to be blocked on this review.
Comment 2•12 years ago
|
||
(In reply to Ian Melven :imelven from comment #1) > https://www.w3.org/Bugs/Public/show_bug.cgi?id=19297 looks to be blocked on > this review. see https://www.w3.org/Bugs/Public/show_bug.cgi?id=19297#c3
![]() |
Assignee | |
Comment 3•12 years ago
|
||
this bug is flagged needs-info before we can do a review
Comment 4•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #3) > this bug is flagged needs-info before we can do a review Looking at the w3c bug and the discussion in the bug for the actual work here, it seems like there's a disconnect between what the spec says, what FF does, and what Chrome does. Maybe providing security input there or for the spec (or in the w3c bug) might be more useful than a review per se at this point ? It seems like we're more at the point where we want to figure out what to do, than reviewing what we've done.
![]() |
Assignee | |
Updated•12 years ago
|
Flags: needinfo?(david.humphrey)
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][triage needed]
![]() |
Assignee | |
Comment 5•12 years ago
|
||
I am going to take this one and try to find a date for a team review
Assignee: nobody → curtisk
Whiteboard: [pending secreview][triage needed] → [pending secreview]
Comment 6•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #0) > 1) Who is/are the point of contact(s) for this review? Me: Chris Pearce. > 2) Please provide a short description of the feature / application (e.g. > problem solved, use cases, etc.): Allow the pointer (mouse cursor) to be "locked" inside an HTML element. While a element locks the pointer, the pointer is hidden, and movement of the mouse is always reported to that element, i.e. since the mouse cursor can't (logically) move outside of the element, the element receives all movement. This facilitates non-fullscreen games locking the pointer, for example a non-fullscreen FPS game would want to lock the pointer so that the user could still control their character without the mouse leaving the canvas. > 3) Please provide links to additional information (e.g. feature page, wiki) > if available and not yet included in feature description: Specification: http://www.w3.org/TR/pointerlock/ > 4) Does this request block another bug? If so, please indicate the bug number Bug 737100 - "Extend Pointer Lock (Mouse Lock) for non-fullscreen elements" > 5) This review will be scheduled amongst other requested reviews. What is > the urgency or needed completion date of this review? Not super urgent, but needs to be done before it's worth starting work on this. > 6) To help prioritize this work request, does this project support a goal > specifically listed on this quarter's goal list? If so, which goal? Supporting games in HTML5 is a goal, see: https://wiki.mozilla.org/Platform/2013-Goals "Enable three application types across the platform: Games..." > 7) Please answer the following few questions: (Note: If you are asked to > describe anything, 1-2 sentences shall suffice.) > 7a) Does this feature or code change affect Firefox, Thunderbird or any > product or service the Mozilla ships to end users? Anything that uses Gecko. In practice, only Firefox and maybe Thunderbird, since mobile doesn't have a mouse pointer. > 7b) Are there any portions of the project that interact with 3rd party > services? No. > 7c) Will your application/service collect user data? If so, please describe No. > 8) If you feel something is missing here or you would like to provide other > kind of feedback, feel free to do so here (no limits on size): I think that's it. > 9) Desired Date of review (if known from > https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) > and whom to invite. A 1pm Pacific Time slot, on Monday-Thursday is fine. Please invite at least me. On or after 21 January please.
Comment 7•12 years ago
|
||
(In reply to Ian Melven :imelven from comment #4) > (In reply to Curtis Koenig [:curtisk] from comment #3) > > this bug is flagged needs-info before we can do a review > > Looking at the w3c bug and the discussion in the bug for the actual work > here, it seems like there's a disconnect between what the spec says, what FF > does, and what Chrome does. Right, we decided to have the pointer lock spec piggy-back on the security model of the fullscreen API, and only work in fullscreen mode. This simplified what kind of security discussions we needed to have at the time. > Maybe providing security input there or for the spec (or in the w3c bug) > might be more useful than a review per se at this point ? It seems like > we're more at the point where we want to figure out what to do, than > reviewing what we've done. Yes, we're at the point where we want to figure out what to do, i.e. how can we implement this in a safe-enough fashion.
![]() |
Assignee | |
Comment 8•12 years ago
|
||
How about Mon 25-Feb 1pm PST? Sorry for dropping the ball on this one.
Flags: needinfo?(cpearce)
Comment 9•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #8) > How about Mon 25-Feb 1pm PST? > Sorry for dropping the ball on this one. Mon 25-Feb 1pm PST would be good.
Flags: needinfo?(cpearce)
![]() |
Assignee | |
Comment 10•12 years ago
|
||
Meeting Details: * Mon 25-Feb-2013, 1300 PST * Where: - MTV - 3v Very Good Very Mighty - SFO - 319- Golden Gate Bridge - Vidyo(9710) secreview [https://v.mozilla.com/flex.html?roomdirect.html&key=EEtiuXn8C5EP] * IRC Channel: #security * Etherpad: http://etherpad.mozilla.com/secreview * Dial-in Info (phone): - In office or soft phone: extension 92 - US/INTL: 650-903-0800 or 650-215-1282 then extension 92 - Toronto: 416-848-3114 then extension 92 - Toll-free: 800-707-2533 then password 369 - Conference num 99710 Items to be reviewed: https://bugzilla.mozilla.org/show_bug.cgi?id=822654 Agenda: * Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time] - Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) - What solutions/approaches were considered other than the proposed solution? - Why was this solution chosen? - Any security threats already considered in the design and why? * Threat Brainstorming (30-40 minutes) * Conclusions / Action Items (10-20 minutes)
Updated•12 years ago
|
Comment 11•12 years ago
|
||
Notes from security review conducted 25 Feb 2013 PST. We also covered the issue of having multiple fullscreen windows open on multiple monitors, and allowing fullscreen windows to be blured without them exiting fullscreen (bug 805613 and bug 724554).
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
![]() |
Assignee | |
Comment 12•12 years ago
|
||
https://wiki.mozilla.org/Security/Reviews/Mouse-Pointer_Lock
![]() |
Assignee | |
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•