[mediumdeviation]

> Remove "(site) is now fullscreen" nag message and make it faster

For a list that want to make the browser more secure, why do they want to remove the only line of defense against sites using fullscreen mode for phishing?

> Disable PDF reader

PDF.js has fewer security vulnerabilities than desktop PDF readers.

> Disable 'safe browsing' aka. Google tracking/logging

This seems like a really bad idea for most users

[okasaki]

> PDF.js has fewer security vulnerabilities than desktop PDF readers.

You can limit desktop readers with something like AppArmor (no network access, only allowed to read files, only allowed to open *.pdf files, etc). You can't (AFAIK) do that with PDF.js.

[TD-Linux]

>only allowed to read files

You just let through the vulnerability in PDF.js.

[okasaki]

No, you give it read-only access to the files it needs (e.g. /usr/) and then everywhere else like /home it can only open *.pdf.

Also, no networking.

[TD-Linux]

AppArmor can't do a *.pdf restriction. Even if it could, you still let through access to every pdf on your system.

The point here is that the sandboxing needs to be watertight, or it's simply not effective. pdf.js runs in the JS sandbox, but here the file origin checking failed. Placing an OS-level sandbox around it doesn't help unless it is just as tight.

[okasaki]

Uh, yes it can

    allow /**/*.pdf r,

[TD-Linux]

Wow okay, didn't realize that (was still thinking in extended-attributes SELinux land).

[stonogo]

> PDF.js has fewer security vulnerabilities than desktop PDF readers.

That's probably because there is one PDF.js and dozens of desktop PDF readers.

PDF.js sprouts CVEs at an alarming rate. It should be disabled until someone does a full-program security audit.

[bpicolo]

The only time I ever see the fullscreen message is when the screen has essentially already fullscreened itself in a case where I want it to. =/

[nfm]

The warning is a bit annoying, but without it attacks like this would be harder to spot: http://feross.org/html5-fullscreen-api-attack/ (it's just a proof-of-concept, no malicious payload)

[thaumasiotes]

Who are all these people who apparently run their browser maximized? Web pages generally get worse as the window gets wider. (Unless, of course, they control their own width, but that's its own obvious prompt to stop wasting all your screen space.)

[J_Darnley]

Only with a rubbish, widescreen display are modern websites crap. Get a nice 4:3 or 5:4 display and everything looks good when maximised.

[thaumasiotes]

No, it would still have to be a small squarish display. Fixing the aspect ratio won't fix the problem that you have way more space than the website will take.

[bpicolo]

That seems like an entirely inadequate warning for an average user to spot phishing anyway.

[rcthompson]

Then you probably haven't visited a phishing site that uses this technique.

[gareim]

It says "suck less", not more secure. And this isn't something that most users would use.