In the last two months I've had two bogus security web pages declare that my computer is infected with instructions to correct it. This is not new, but what was new was that my mouse pointer was locked and gone. Long or short pressing the "ESC" key did nothing to return mouse control. It is unknown whether my keyboard was also locked. Rebooting regained mouse and keyboard control.
A little research and it appears that Chrome grants web page authors the ability to take control of a user's mouse and keyboard via the pointer lock api and the keyboard lock api without the permission of the user. Vivaldi offers users the ability to change permissions for a large number of functions in the browser but not pointer lock or keyboard lock.
Searches yielded no results on how a vivaldi user could revoke default permissions for access to these api's. Anyone know how a user can revoke permissions for access to the pointer lock api and keyboard lock api?
@apagano01192021 Revoke? Unknown, but moving the pointer outside the application window should remove Vivaldi's control of the cursor. Then you should be able to use the OS to close the offending tab or select a different one. Presuming you're not in fullscreen mode where there is no area outside the window.
See the blog entry for Chrome for Developers website concerning Pointer Lock API and the KeyBoard Lock API that Chrome apparently makes available for use by Web authors here: https://developer.chrome.com/blog/keyboard-lock-pointer-lock-permission. The Chrome for Developers blog post seems to make clear that permission for access to these APIs is revokable by the user.
However Vivaldi doesn't appear to give its users access to these permissions. Vivaldi allows the user to revoke or allow approximately 30 different functions available to web page authors at Settings--> Privacy and Security--> web page global permissions.
I'm running Linux Mint on a laptop and I'm always in full screen mode. While I'm trying to learn how to revoke permissions to the Pointer Lock API I'm also trying to learn some Linux Keyboard shortcuts in the event of my pointer being locked again However if the rogue web page also locked my keyboard (which it apparently can do with the Keyboard Lock API) then the average novice GUI user is screwed. and is left with a reboot as the only option.
@apagano01192021 System keyboard shortcuts would never even reach Vivaldi, so for example you could switch to a terminal and kill the Vivaldi process if you have some familiarity with the command line. I've done something similar in the past when a system update misconfigured my graphical desktop - I switched to a terminal, killed XF86 (at the time) and reran the configuration utility. No application can block that.
Pathduck Moderator Soprano Supporters
Far as I can tell, Keyboard Lock does not work in Vivaldi at all. Testing here:
https://permission.site
https://chrome.dev/keyboard-lock/
It works in Chrome, Opera and Edge, but also fails in Brave with the same JS error. So either Vivaldi and Brave decided to not implement this API or it's "just a bug".
However, it might still be possible for rogue websites to capture keys through Javascript like is done here:
https://www.toptal.com/developers/keycode
https://unixpapa.com/js/testkey.html
The built-in hotkeys like
Ctrl+W,
Ctrl+N,
Ctrl+Tshould still work though.
Vivaldi even has a setting specifically overriding websites capturing keys:
In the worst case, most OS have a "dead mans key" to allow at least terminating the browser process.
In Windows this would be
Ctrl+Alt+Delallowing you to open Task Manager and break the lock.
The OS-reserved
Alt+Tabmight also work to swap windows.
A reboot should not be necessary.
If you can come across any such site that completely breaks this please post the url here in `code blocks` so it won't be linked.
The Chrome for Developers blog post seems to make clear that permission for access to these APIs is revokable by the user.
Looks like Chromium devs rolled that back, far as I can tell there's no permission dialog in Chrome 138:
https://groups.google.com/a/chromium.org/g/blink-dev/c/VVXBah4qOpA/m/1YeVLCm-BQAJ
There's also no website permission for these APIs under
chrome://settings/contentin Chrome nor Vivaldi.
Some interesting reading about this API abuse attack:
https://textslashplain.com/2023/09/12/attack-techniques-fullscreen-abuse/
With a pretty nasty example of what it can do:
https://webdbg.com/test/fullscreen/
The APIs have their use for cases like fullscreen games and heavy web apps. Bug generally I think these APIs give lowlifes too much power to scare unwary browser users and I wish the people who implemented them thought about abuse patterns before implementing them. They should be default hidden behind explicit permissions defaulting to blocked.
These days developers seem to follow users wishes of "convenience über alles" instead of thinking about the security ramifications of fancy new APIs.
Worst case probably is Push Notification Spam.
https://textslashplain.com/2022/09/27/badware-techniques-notification-spam/
Push Notifications should default be blocked and not set to ask. It's way too easy tricking users to allowing them to send spam.
Thanks for the info. I'll have to research the keyboard shortcuts for Linux Mint.
And I guess a request to the developers to add a PointerLock global website permission setting at their Privacy and Security settings.
@apagano01192021 If you can find a site where they're able to lock your keyboard interaction that would be good. But these sites are run by scammer scum, are often short-lived and not easy to find if looking.
Like I said, Vivaldi does not seem to support the Keyboard Lock API at all and this is an old bug from 2023:
VB-99078 Keyboard lock API broken
Obviously when/if they fix it they will have to make sure it behaves like Chrome/Chromium, i.e. that holding ESC will exit the lock.
I made a quick mockup of the fullscreen/keyboard/pointer lock APIs:
https://pathduck.github.io/test/keyboard-lock/
They keyboard lock does not work in Vivaldi but the pointer lock does, however it can easily be unlocked by pressing ESC.
I said in Rogue websites locked my mouse pointer:
There's also no website permission for these APIs under chrome://settings/content in Chrome nor Vivaldi.
Correction, the permissions for Keyboard Lock is hidden beneath an experimental flag:
Keyboard Lock prompt
Requesting to use the keyboard lock API causes a permission prompt to be shown. – Mac, Windows, Linux, ChromeOS
chrome://flags/#keyboard-lock-prompt
This adds a new permission page under:
chrome://settings/content/keyboardLock
Kind of a moot point as Vivaldi does not support the API at all currently, whether a bug or intentional.
Thank you for your time. Oddly enough I encountered the rogue web pages while viewing a computer hacker news aggregator website (I think "The Hacker News"). I will do some experimenting once I'm a little more comfortable with using the keyboard as a substitute for the mouse.
In both instances when my pointer was locked I did use both short and long presses of the "ESC" key without success. As a strictly GUI novice the "ESC" and Power button are the only two things I know.
@apagano01192021 said in Rogue websites locked my mouse pointer:
Oddly enough I encountered the rogue web pages while viewing a computer hacker news aggregator website (I think "The Hacker News").
So it was not a scammer site?
Did it say your "computer is infected" or asked you to call a "Microsoft" number?
Hard to understand what might be going on without an actual example.
Test the demo page, see if the Keyboard Lock button works full-screen:
https://pathduck.github.io/test/keyboard-lock/
Wow. Using chrome://flags/#keyboard-lock-prompt I was able to enable a permission prompt for an attempted use of the Keyboard Lock API, but I was not able to duplicate the permission prompt using chrome://settings/content/keyboardLock
As far as i know "The Hacker News" is stricly a news aggregator and I've never had previous problems there. but they do have some ads. My best recollection is that I was reading The Hacker News when the rogue "computer security" window popped up. Possible I accidentally clicked on an ad.
Pathduck Moderator Soprano Supporters
@apagano01192021 said in Rogue websites locked my mouse pointer:
Wow. Using chrome://flags/#keyboard-lock-prompt I was able to enable a permission prompt for an attempted use of the Keyboard Lock API
As already said, the Keyboard Lock API does not work in Vivaldi at all.
So you can enable the flag, but it won't do anything.
If you enable the flag in a browser where it works - i.e. Chrome/Edge/Opera - and go to a site using the API, you will see the same dialog I posted an image of above.
This is an experimental flag, meaning Chromium developers have not decided if they want to make it default or not.
but I was not able to duplicate the permission prompt using chrome://settings/content/keyboardLock
I don't believe you understand this fully. That Chromium settings page is for controlling the permissions toggled by the experimental flag. It does not activate the dialog itself.
Thanks, I understand now.