Security/Reviews/ReviewNotes/MouseLock

Introduce Feature

Mouse

• https://wiki.mozilla.org/Security/Reviews/ReviewNotes/MouseLock
• https://bugzilla.mozilla.org/show_bug.cgi?id=633602
• http://www.w3.org/Bugs/Public/show_bug.cgi?id=9557

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

• Google has a spec for Chrome
  • https://docs.google.com/document/d/1uV4uDVIe9-8XdVndW8nNGWBfqn9ieeop-5TRfScOG_o/edit?hl=en_US&authkey=CM-dw7QG
• move mouse around without bumping into an "edge", the movement goes "forever"
• mouse locked to an element

- What solutions/approaches were considered other than the proposed solution?

• Driven by W3C specs

Why was this solution chosen?

Any security threats already considered in the design and why?

• Prevent user from getting back control of his/her mouse

[From Google Doc]

• User gestures may be misdirected to elements the user did not intend to interact with.
• Mouse Lock will remove the ability of a user to interact with user agent and operating system controls
• Mouse Lock can be called repeated by script after user exits mouse lock, blocking user from meaningful progress.
• Full screen exit instructions are displayed in some user agents when the mouse is moved to the top of the screen. During mouse lock that gesture is not possible.

Threat Brainstorming

• request for mouselock when not in full screen
  • some kind of notification (door hanger?)
  • somewhat dependant on what kind of user interaction to enter full-screen
  • esc should work, but other mouse commands (like scroll to top) many not

Conclusions / Action Items

• This should only work in Full Screen and switching to another tab/context then this should be lost
  • ability to ESC out
  • part of initial bug