There is no way that 'pointer lock' should be something you can just click and get your pointer hijacked. You could label that button anything or make it any clickable element. Who the hell at web browser developers thought that was a good idea to implement?
Why not have a "Do you want to allow this site to take control of your pointer?" prompt, same as when a site first wants to use your microphone or camera?
There are a ton of use cases that demand it, so it was added a long time ago (around the same time as Fullscreen, I think). The current user experience for it (opt-out instead of opt-in) has likewise been around for ages. I think I remember seeing an explicit permission prompt very early on but they got rid of it.
"You could label that button anything" sadly applies to a significant number of dangerous things a website can do, pointer lock is not near the top of the list.
I don't see why this is really a security issue. You can't control their pointer, it just becomes disabled. The popup and the pointer lock are managed by the browser, so you can't trick them into doing anything and they can always get out of it by just pressing escape.
I feel like there's a lot of room for accidents here, though. If you aren't expecting a dialog to come up, but are using the mouse, you might accidentally click to accept something you didn't want to do.
And I'm glad web pages can't make use of this; that's just ripe for abuse. Though I suppose what might be acceptable would be a more limited protocol where a webpage is allowed to ask the web browser to move the pointer to a particular non-hidden UI element, and only in response to some sort of user interaction. Still, this sort of thing seems concerning.
This is good news, though I don't see it becoming a standard any time soon without a way of blocking nefarious sites from taking hold of people's pointers. Perhaps a browser warning bar when a site tries to lock the cursor (or does this already happen)?
It's a bit odd to me that it doesn't ask for any kind of permission on Chrome, just that a user click initiates it. It does briefly pop a hint that "<esc>" will release the mouse.
I get a "$WEBSITE has control of your pointer. Press Esc to take back control" message in Firefox when that happens, and the message is pretty big and in your face. Does other popular browsers not have this message? Solves the problem in an elegant way.
> As the meme goes, "why do we even have that lever" to disable a mouse click?
So that web pages can implement their own behaviors for right-click, e.g. web applications which have their own contextual menus, games which use right click as an input, remote desktops which pass right click to the remote host, etc.
It's a really bad idea if nothing else. It's assuming I'm attempting to close the tab every time my pointer leaves the document container, even if I'm just mousing up to click on an add-on.
I will personally blacklist any site that uses interactive features like this.
Thanks for making that clear. But making the user click on something is not really difficult. Don't get me wrong, I really love the possibilities this gives to web developers, I just wanted to point out that this will open yet another way to do harmful things, especially to novice users.
I mean really, it's just like using a normal UI while maniacally clicking as fast as possible. Every nav item you hover over gets selected. Every text field gets entered. Every button you move past gets pressed. It's like that Atari 2600 joystick with the "autofire" switch.
I went through their alternative button ideas. Two of them I "clicked" unintentionally. One of the I couldn't get to "click" at all.
All in all, they've successfully proved that this is a bad idea.
The most it could do is fool you into thinking your cursor is somewhere else within the same web page, which the malicious dev in this case would already have total control over. If they wanted to fool you into clicking something, they'd have an easier time just mis-labeling the button
> CSS includes a handy pointer-events attribute that makes buttons and links flip to non-interactive
Except that it doesn't, you can still focus those with keyboard and click them. You should always disable buttons with `disabled` property instead of that hack.
Hasn't that always been possible using JS? I know that Firefox in its distant past once had an option to not allow websites to catch right clicks, but it's been gone for quite a while.
Why not have a "Do you want to allow this site to take control of your pointer?" prompt, same as when a site first wants to use your microphone or camera?
reply