Given that this is not merely setting a limit because you find that implementation more convenient, but actually a case of considering it desirable to ignore large cursors in certain cases (and for security reasons even), I wonder if this is something that we should consider including in the specification. What do you tink?
—Florian On Wednesday, March 13, 2019 at 4:50:01 AM UTC+9, Emilio Cobos Álvarez wrote: > Hi, just some email I forgot to send a while ago. > > Summary: Block cursor images larger than 32 pixels wide that intersect > the Browser UI, by falling back to the default cursor (as if no cursor > image could be loaded). > > This prevents malware sites from hijacking the cursor and look as if the > cursor was on top of the browser UI. See the bug for test-cases and > examples. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1445844 > > Link to standard: N/A (this is more of an intervention) > > Platform coverage: All desktop platforms. > > Estimated target release: 67 > > Preference behind which this will be implemented: Two prefs control this > behavior. `layout.cursor.block.enabled` controls whether we block > cursors at all. `layout.cursor.block.max-size` controls the maximum size > in either axis that the cursor can have without being blocked. > > Devtools bug: I don't think any particular devtools support is needed. > > web-platform-tests: Can't really test this. > > Do other browser engines implement this? Blink is doing the same change > in https://bugs.chromium.org/p/chromium/issues/detail?id=880863. > > Their data estimates that 0.1% of page visits hit this, and they're > going with the same cursor size of 32 (I was going initially for 64, see > bug for discussion). > > I made sure that should any surprise come up turning this off this is > trivial, but I think it's worth doing, and the change has been in > Nightly for quite a while without any surprise. > > -- Emilio _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
