Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multi-Screen Window Placement: Fullscreen Companion Window #636

Open
morsssss opened this issue May 9, 2022 · 6 comments
Open

Multi-Screen Window Placement: Fullscreen Companion Window #636

morsssss opened this issue May 9, 2022 · 6 comments

Comments

@morsssss
Copy link

morsssss commented May 9, 2022

Request for Mozilla Position on an Emerging Web Specification

  • Specification Title: Multi-Screen Window Placement: Fullscreen Companion Window
  • Specification or proposal URL: Explainer
  • Original API specification: https://w3c.github.io/window-placement/
  • Mozillians who can provide input (optional): annevk, dbratell, martinthomson

Other information

Fullscreen Companion Window allows sites to place fullscreen content and a popup window on separate screens from a single user activation.

This is a small enhancement of the Multi-Screen Window Placement feature. Please see #542 for details.

@annevk
Copy link
Contributor

annevk commented May 20, 2022

https://w3c.github.io/window-placement/#security doesn't really detail the main attack I can think of. Which is that you have multiple screens but you don't pay attention to all of them. At some point you click and a site takes over a screen imitating your OS and asks for credentials for something. If the user isn't paying attention, for instance, because they are playing a game (click-a-mole), it seems quite easy for the "[origin] is now fullscreen" message to get ignored.

(The security section also does a thing I actively dislike, which is to list a bunch of table stakes measures upfront. Obviously those improve security, but they are so basic that any attacker can get all of them easily so listing them there as if they prevent anything meaningful seems wrong.)

@morsssss
Copy link
Author

I understand the concern - but I'm trying to imagine the attack you describe. It depends on a couple of factors, both of which seem unlikely to me.

  • The user has to have so many screens that there's one they don't pay much attention to, to the extent that they wouldn't notice a malicious site taking over that screen entirely.
  • The site has to make a fullscreen window filled with something that looks like the user's OS' usual background, behind the dishonest call to action.

I just am not sure that such an attack is worth attempting, when there are other things a malicious site could do in any window that would be easier to pull off.

@annevk
Copy link
Contributor

annevk commented May 20, 2022

I'm not privy to all multi-screen setups, but I can imagine you might have some kind of monitoring thing you don't look at often. And it doesn't have to be the OS's usual background, they could also spoof the browser and some website.

@michaelwasserman
Copy link

Thanks for this feedback. The second sentence of that Security Considerations section states (emphasis added here):

Sites may attempt to prominently display sensitive content on unexpected screens, surreptitiously display undesirable content on less conspicuous screens, or otherwise place content on specific screens to act in deceptive, abusive, or annoying manners.

That was written to capture concerns including the specific scenario you describe here. I started a PR to clarify that paragraph, and even suggest a potential protection. Feedback there or more discussion here is welcome. Thank you!

@michaelwasserman
Copy link

The concern that a user agent's fullscreen message might go unnoticed is valid. The explainer's new Security Considerations section calls this out concretely and suggests a potential mitigation: the user agent could show a similar message when the fullscreen window seems to regain the user's attention.

As I mention in standards-position issue for the base API: I welcome the opportunity to continue discussing this topic at TPAC! If anyone is interested, we can add a Second Screen WG/CG agenda topic, or expand the scope of my tentative breakout session.

@michaelwasserman
Copy link

michaelwasserman commented Mar 4, 2023

I invite your consideration of w3c/window-management#100 and w3c/window-management#130, which clarify security and privacy considerations and suggest potential mitigations aligned with feedback from this issue and #542.

Discussion at the upcoming Second Screen WG/CG - 2023 Q1 virtual meeting #7, in this issue, or elsewhere is greatly appreciated. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Unscreened
Development

No branches or pull requests

3 participants