Re: Mouse Lock from Brandon Andrews on 2011-06-22 (public-webapps@w3.org from April to June 2011)

From: Brandon Andrews <warcraftthreeft@sbcglobal.net>
Date: Wed, 22 Jun 2011 09:43:35 -0700 (PDT)
To: Olli@pettay.fi, "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: Ryosuke Niwa <rniwa@webkit.org>, Adam Barth <w3c@adambarth.com>, Vincent Scheib <scheib@google.com>, "Gregg Tavares \(wrk\)" <gman@google.com>, Glenn Maynard <glenn@zewt.org>, Charles Pritchard <chuck@jumis.com>, Kenneth Russell <kbr@google.com>, robert@ocallahan.org, public-webapps@w3.org
Message-ID: <397521.95455.qm@web83811.mail.sp1.yahoo.com>

On 06/22/2011 11:34 AM, Olli wrote:

>> The intent is to allow non-fullscreen
>> games to lock the mouse when the user clicks the "Start Game" button
>> or similar.  (For the malicious authors, see below.)
>>
>>> Also, once my mouse is locked, how do I free it?
>>
>> That was covered in the paragraph you quoted, though cursorily.  If
>> the mouse is locked in this way, the browser should show a persistent
>> message (either in its chrome or as an overlay) saying something like
>> "Your mouse cursor is being hidden by the webpage.  Press Esc to show
>> the cursor.".
>>
>> This shouldn't be too annoying for the games case, but should allow
>> users, even clueless ones, to know when a site is being malicious and
>> how to fix it.  Once they get their cursor back, they can just leave
>> that page.
>
> So we would end up web apps where after clicking anything in the page 
> user needs to use keyboard to get out of the application?
> Doesn't sound too user friendly.
> IMO, user really should be informed before locking the mouse.

Yes this would require keyboard input. Remember that we already 
recommended the browser warning which is initiated with mouse input to 
select the "allow" option. It's no different than using escape to leave java's
fullscreen window (which provides no warning or reminder on how to escape).
It's also no different than flash's escape used to leave fullscreen. Though
I can see your worry and covering every edge case is important.
You might need to refer to this:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9557
and the rough spec I initially wrote up (which has flaws that were discussed 
later
in the w3 buglist).
http://code.google.com/p/chromium/issues/detail?id=72754

Comment 36 here is important:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9557#c36

A user that presses escape to revert mouse lock in quick succession will
cause the user agent to revoke mouse lock privileges from the site
causing the warning to appear again to allow mouse lock. That
combined with a fading screen in the center of the UA the first
time that explains "Press Esc to get your mouse back" (worded in layman
terms) should help to get rid of some problems.

My fear is that continual worry about these security problems will cause
the mouse lock feature to be disabled in the browser with a special unlock
in the options menu which I really don't want to see happen. If you guys can
think of any other solutions it would help a lot. (I know what you mean about
non-technical people getting confused. I actually teach a class on basic
computer use and it's shocking how confusing the keyboard can be to people).

Received on Wednesday, 22 June 2011 16:44:15 UTC