-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Window Management #542
Comments
Heads up: This now has a "request to ship" in Chromium. |
Thanks for pinging this up! If someone has time, we would still like Mozilla's position on this. |
I appreciate the detailed explainer here. The Privacy & Security section cites a TAG principle around device enumeration. That actually seems concerning to me as exactly these kind of bits are valuable information to segment and exploit end users. I would be much more comfortable with the website doing some kind of request to present its information and then after the user grants it that power it getting more detailed information about the screen(s). I also miss considerations here around platform independence, a core principle of the web. A lot of work has been done to overcome early X11-centric design decisions and looking at the list of proposed changes in OP this adds them right back in. |
Thank you for providing this feedback, @annevk!
I look forward to discussing your feedback further! |
Like Mike says - thanks for offering this feedback! As you can imagine, quite a bit of work has happened since I posted this request last June. We've traveled far down the road to launch. But this feedback is quite helpful. We'd like to see what we can do to address it, while minimizing potential breakages for any early adopters out there. In other words, if you have time to get to Mike's questions as soon as possible - say, this week - this will help us address your concerns and improve the API for everyone. Thanks, |
Hi @morsssss, @michaelwasserman, I've discussed with this @annevk and in addition to Anne's reservations about the X11-style model (on which I have no opinion), we are concerned that the additional passive exposure of fingerprinting information has not been given enough weight in your analysis. The work includes a few pieces:
So far, this looks fine, but obviously you can't place things on a screen without knowing how to identify that screen. How sites obtain this information, as proposed, is where this falls off the rails. Users with multiple screens are rare and exposing that information passively carries a risk. We'd prefer if this were based on some sort of user action. You appear to have considered an option that we'd prefer:
This seems like an avenue worth exploring more. The browser will know if a window/tab moves to a new window, so it doesn't need user agent-native controls for moving windows; this could rely on observing when windows move by any means. This could be coupled with an event that fires when a user moves a window to another screen (maybe after a small delay). Information about that screen can then be learned by the site. Until a screen is known to a site, the list of screens only includes the current one. Sites can encourage users to manually place a window, once, in order to learn about additional screens. The advantage of this is that there is no increase to the passive fingerprinting surface and no additional prompting. The permission grant is implicit and tied to an action that a user understands. That makes this more like You claim some drawbacks of this approach that I'd like to address:
I'm not seeing evidence that this is the case. If I am a multi-screen user and I constrain the use of a site to one screen, what information are we leaking to that site such that they might learn about the existence of other screens? If there is something, maybe we should be looking to fix that.
This is in our view a reasonable compromise in exchange for more effectively protecting multi-screen user privacy. The one-off cost for users and websites is modest.
Once the screens are known to the site, they can suggest optimal placements. I don't imagine that multi-screen optimizing sites are hyper casual in nature such that this will be a huge problem (counter-examples welcome, of course).
I don't see how this is a problem. Once the site knows about the additional screens, we can remember that they know and expose this information later. So save away.
This is a UA problem and one that seems manageable by using the OS controls if they exist. Though the current shape of the API is what we might consider harmful, we could be more positive with this sort of change. |
Thanks for the quick reply and for brainstorming here; privacy has been an important consideration in our design process all along. If I understand correctly, you suggest that a site could gain persistent access to each screen where the user explicitly places its windows. I think that the currently proposed API shape allows the implementation you're proposing. Could you please follow my outline below and check that conclusion?
There would be many implementation-specific details to resolve with this approach, but it seems feasible and fairly well-aligned with the existing API design. While Chrome wouldn't take this approach (at least for now), I wrote up some initial considerations and concerns for this approach that I would be happy to share separately. Let me try to address some of the other pieces you mentioned:
Can you extrapolate on this? The W3C definition of "passive fingerprinting" does not apply here. JS API usage is detectable on the client and can only be used for “active fingerprinting”. Fingerprinting concerns and mitigations are documented in the API’s Privacy Considerations, which cites requirements of explicit user permission and activation. Please also consider my concrete suggestion to mitigate the active fingerprinting surface of
Hopefully the API shape's compatibility with your suggested implementation approach and picker-based approaches might encourage you to reconsider the perceived harm of this API. Your point-by-point analysis of my screen picker drawbacks is helpful. My naive screen picker brainstorming only considered prompting users on each multi-screen placement, not granting persistent screen access for future placements of any window. Your combined suggestions, to gate screen information and placement capabilities on manual placement and/or screen picking steps, seem like viable implementation approaches compatible with the current API design. At the same time, the API design also allows browsers to offer greater user convenience in a single permission prompt (or none at all), so web applications could correctly arrange multi-screen content without necessitating manual window dragging or screen-picking steps by the user.
My point was that by moving the window from one screen to another by any means, the site may have observed the window.screen information for each of these screens. Thanks again to both of you, @martinthomson and @annevk! If you're interested, we can supplement this discussion with a one-off W3C Second Screen CG or WG meeting. (+CC @anssiko) |
A problem with allowing implementation freedom when it comes to UX is that websites will nonetheless build around a particular pattern. So even if the specification allows for "Website tells the user to use multiple screens so it can make use of them.", websites might not implement that particular pattern leaving users of user agents that implement that pattern in the dark. We've seen this problem manifest before with other APIs. |
Yeah, I don't think that UX freedoms apply if the result is that sites need to act very differently. As @annevk says, we standardize so that sites don't have to do that. |
Standardizing an access model that requires users to move windows between displays as a prerequisite for enumerating screens would necessitate an exceptionally poor user experience, and it would not offer substantial privacy improvements over permission-gated enumeration. That said, the proposed API shape is flexible enough to allow experimentation, and I agree that sites should not need to act very differently. So, a user agent itself may need to engage with users directly, in order to implement novel access models and still support the underlying use cases. Our separate envisioned patterns to enable multi-screen content placement capabilities seem fundamentally compatible, and I still believe that both can be achieved with the proposed API shape. Thanks for your continued insights. |
I'd welcome discussion at the Second Screen WG/CG meeting in May: w3c/secondscreen-wg#4 |
I've put this topic on the meeting agenda w3c/secondscreen-wg#4 @annevk @martinthomson thanks for sharing your perspectives in this issue. You're welcome to participate the upcoming meeting as guests and/or (continue) provide your feedback in an async manner in this issue -- whatever fits your work mode, we'll cater for that. All feedback is welcome and will be considered. |
FYI: This already seems to be implemented and shipped as part of Chrome 100 - Tried in my system and seems to be working perfectly in Chrome, If we can get it in Firefox too, will be super useful. const x = await window.getScreenDetails();
// returns
// {
// currentScreen: {...}
// oncurrentscreenchange: null
// onscreenschange: null
// screens: [{...}, {...}]
// } The below request popup comes up when we do this -- But accessing this - |
@martinthomson: I appreciate the recent continued discussion at the Second Screen vF2F; I hope we'll continue these discussions before/during/after the upcoming TPAC. Please reach out at any time; thanks! |
I welcome the opportunity to continue discussing this topic at TPAC! If anyone is interested, we can add a Second Screen WG/CG agenda topic, or expand the scope of my tentative breakout session. |
I invite your consideration of w3c/window-management#100 and w3c/window-management#130, which clarify security and privacy considerations and suggest potential mitigations aligned with feedback from this issue and #636. Discussion at the upcoming Second Screen WG/CG - 2023 Q1 virtual meeting #7, in this issue, or elsewhere is greatly appreciated. Thank you! |
Request for Mozilla Position on an Emerging Web Specification
Other information
incremental improvements to existing screen information and window placement APIs, allowing web applications to be intentional about the experiences they offer to users of multi-screen devices.
Element.requestFullscreen()
for specific screen requestsWindow.open()
andmoveTo()/moveBy()
for cross-screen coordinatesScreen.isExtended
to expose the presence of extended screen areasScreen.change
, an event fired when Screen attributes changeWindow.getScreens()
to request additional permission-gated screen infoScreens
andScreenAdvanced
interfaces for additional screen infoScreen.availLeft
andScreen.availTop
attributeswindow-placement
entryThe text was updated successfully, but these errors were encountered: