If the page no longer works,
I saved page source from chrome (and IE11)

Deleted: page de merde.7z 98.8 KB

page de merde.7z 98.8 KB Download

can quit fullscreen with F11, but not with ESC !

Wow, that's an awful page.

I don't think there is a bug here, but I'm cc'ing some people who are more in tune with this kind of thing in case they spot something I am missing. My impression is that the page is abusing UI facilities, but within the rules that we need to allow web applications to work.

I'll spare anyone else reading this the annoyance and record some observations.

1. When the page first loads, voice audio starts and the page shows a fake popup that is almost identical to the one that it later causes JavaScript to launch.
2. If I do nothing, after a few moments it creates a real popup (you can tell the difference because real popups have a slight overlap with browser UI at the top).
3. It goes fullscreen if you click on the actual page, which can include the fake popup, which becomes visible again after dismissing a few of the real popups. Fullscreen includes fake browser UI, with microsoft.com in the URL bar.
4. Fullscreen works as intended. It doesn't happen until the user interacts with the page (probably accidentally), and there is a visual warning that the page has gone fullscreen + press ESC to exit.
5. It makes it difficult to exit fullscreen because the popups keep stealing focus. Pressing F11 works, and escape does work if you hit it repeatedly (you can sneak one in between the popups).

Improving these UI abuse problems is an ongoing process. Not long ago we made a change so that popups can't stop you from closing the tab, and there is work underway that would solve the problem of blocking ESC from working.

The one thing I am not sure about is whether JavaScript popups are supposed to be permitted without a user gesture, and if so, whether we have considered blocking that.

Avi here.

"whether JavaScript popups are supposed to be permitted without a user gesture, and if so, whether we have considered blocking that."

Two answers here.

First, if we make JavaScript dialogs consume the user gesture then Gmail breaks, because when submitting an external form in a popup, Gmail alerts, then does the popup.

Second, if we say that a page must have had *any* user gesture before allowing dialogs (without consuming it) then that might work, but it's pretty weak. It definitely would need an Intent. This is actually on my big "kill dialogs" list but...

Another possibility would be removing the ability of a page to activate itself using dialogs. That's a huge change, and definitely would require an Intent, but we would be following Firefox and Safari in that one.

+SafeBrowsing-Ops member

Wow. That's an amazing page.

Other possible things to consider:
- If you're in fullscreen and a modal dialog displays, always show the tooltip for exiting fullscreen.
- Originally, I think the fullscreen had a tooltip button to exit fullscreen mode. Since that's gone, you can only dismiss it via keyboard shortcuts (and the preferred shortcut is [Esc] which isn't very reliable: palmer@, it sounds like you mentioned there's work to improve this: mind linking the bug?)

Ah, avi@ pointed out that it's  issue 670135  to drop out of fullscreen when a modal dialog appears. I like it, and we should just implement it =)

Thanks for the input, all. It looks like  issue 670135  already covers the only improvement to Chrome that we would want out of this, so I am duping to that.

I don't think popping out of fullscreen would really solve this case, as it can be hard or impossible to close the tabs when they are popping up modal dialogs, even if you can see them. But it does at least alleviate the spoofing concern.

"it can be hard or impossible to close the tabs when they are popping up modal dialogs, even if you can see them."

When a tab pops up a modal dialog, that brings the tab to the front, and the tab is frozen pending response to the dialog. I've never had a problem closing tabs in that situation. Can you clarify the difficulty? I'd like to address it.

After exit fullscreen (with F11), I can see the tab and clic in the X
I suggest: adding a popup auto-hidden (menu...) to get out of the full screen when we position the mouse at the top of the screen? 
+The chrome task manager accessible with a right click on the application in the windows taskbar, and with a key combination that still works (MAJ-ESC not work in this situation, same in GMAIL).

This just for not loss all tab (if not set to restore latest when quit) and to no kill chrome.exe from windows task manager

#13 I've been stuck in loops like this before where I couldn't click the X because it was not clickable while the modal is up. I have to close the modal then try to quickly click the X while it's down before the next one comes up. I don't have a site to repro it on right now.

#14 No, we don't want to add UI based on mouse movement in full screen. We removed that because it was ruining the experience for games. And it's not effective because the bad site can just use pointer lock to achieve the same.

and restore the exception list for fullscreen? same as flash,popup,image,notification,localisation...

#16: No, we don't want an exception list for fullscreen because it isn't harmful (from a security standpoint). At most, it is a denial of service (annoying).

#17: display image same.. autorise popup same..
It was a convenience of use, a user choice .. a function that I used to allow only the sites that I am brought to use full screen. And I do not understand why it was removed for an automatic option that does not respect my choice

#15 -- "I've been stuck in loops like this before where I couldn't click the X because it was not clickable while the modal is up."

That should be no longer the case. avi@ changed that behavior so that JS modal alerts no longer prevent interaction with browser chrome.

#18 Chrome does not give users options about what features to enable on the web, other than those with a security risk to the user. (I don't know why we give the option to not show images; seems like a relic from the past.) Notifications are on that list because they can annoy the user long after the page is closed.

Fullscreen has been deemed to not present a security risk. It can be annoying, but not after you close the page. There are many other things a page can do to be annoying: play loud music, show alerts, flash bright colours, display offensive content, etc. The answer to all of these is to close the page and not return to it. We don't need a permission for fullscreen.

#19 Great, I haven't experienced it for awhile so I guess I've not seen the new behaviour.

"Fullscreen has been deemed to not present a security risk. It can be annoying, but not after you close the page."

Fullscreen prevents you from closing the page. That's why the "press escape to exit fullscreen" bubble is so important.

The fullscreen notification bubble has security significance. If a page goes fullscreen without alerting the user, it can spoof browser UI, including security indicators (as, indeed, the page linked from this bug report attempts to do).

Yes the fullscreen *notification* is a security indicator. Any bug that prevents that notification from showing should be treated as a security issue.

But auto-granting a page access to fullscreen is not considered a security risk (as long as the notification is shown) because the informed user is able to escape it and not return to the site. It doesn't expose any sensitive data or put the user's system at risk. See  Issue 352425 .

I not go to this fullscreen site #1, this site is a popup not blocked by chrome (clic zone hidden at the top of a button or a search entry box). I OK, to not block fullscreen page, it's better if Chrome can prevent this open link not requested and hidden. 
 
and for this: Escape not work, notification is shown for this bad site, but totally useless, besides having to be careful and have time to read it before it disappears.. The full screen page with sound is also done to attract attention elsewhere on the popup 'press ESC to exit fullscreen' (first action cut the sound; easy now when not fullscreen; in tab). (Youtube does not include a sound normalizer .. the sound is weak and you need to raise the volume.. You know the rest)
And the image of the top banner to make believe that it is chrome and that just click on X which does not work ... while the closing still works.

 And when fullscreen can be used to mask background activity (security problem?),new tab opened is not seen because focus in this fullscreen (just flash screen), for example: open new tab to another badsite to test security problem, and more 100... (now with 64bits system, chrome is not limited to use 3GB before crash).

The option existed in chrome before, and perfect, request each page before go fullscreen, and can add it in the list (for never request)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc

commit 0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc
Author: avi <avi@chromium.org>
Date: Tue Jun 13 03:22:13 2017

If JavaScript shows a dialog, cause the page to lose fullscreen.

BUG= 670135 ,  550017 ,  726761 ,  728276 

Review-Url: https://codereview.chromium.org/2906133004
Cr-Commit-Position: refs/heads/master@{#478884}

[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/chrome/browser/printing/print_job_worker.cc
[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/chrome/browser/printing/print_view_manager.cc
[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/content/browser/web_contents/web_contents_impl.cc
[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/content/browser/web_contents/web_contents_impl.h
[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/content/browser/web_contents/web_contents_impl_browsertest.cc
[modify] https://crrev.com/0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc/content/public/browser/web_contents.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f36b11b74a9d97621a65d466862948b0b8650889

commit f36b11b74a9d97621a65d466862948b0b8650889
Author: Avi Drissman <avi@chromium.org>
Date: Tue Jul 18 23:38:13 2017

If JavaScript shows a dialog, cause the page to lose fullscreen.

BUG= 670135 ,  550017 ,  726761 ,  728276 
TBR=avi@chromium.org

(cherry picked from commit 0720b02e4f303ea6b114d4ae9453e3a7ff55f8dc)

Review-Url: https://codereview.chromium.org/2906133004
Cr-Original-Commit-Position: refs/heads/master@{#478884}
Change-Id: Id833bfcc88e7faf9129ceb3184e11d37a71c61cc
Reviewed-on: https://chromium-review.googlesource.com/576402
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/branch-heads/3112@{#644}
Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897}
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/chrome/browser/printing/print_job_worker.cc
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/chrome/browser/printing/print_view_manager.cc
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/content/browser/web_contents/web_contents_impl.cc
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/content/browser/web_contents/web_contents_impl.h
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/content/browser/web_contents/web_contents_impl_browsertest.cc
[modify] https://crrev.com/f36b11b74a9d97621a65d466862948b0b8650889/content/public/browser/web_contents.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot