[Wowfunhappy]

> To work around these problems, we rely on the fact that the web page is being sent events from the browser engine. At Firefox, we control the browser engine! Before sending out a mouse event, we can check to see what sort of DOM nodes are directly underneath the cursor.

This triggered some mental alarm bells when I read it.

I understand what Mozilla is trying to accomplish, but this feels like it could become a serious WTF moment for a developer. "There is absolutely no way in hell this element should be able to receive mouse events right now, what is Firefox doing?"

Is this a problem? Perhaps the web is so far down the hacks/exceptions route that adding one more legitimately won't make a difference?

[reubenmorais]

A Web developer is never going to see this. The events mentioned are being sent to the Shadow DOM which implements the PiP UI (as well as the default video controls UI), not the webpage.

[detaro]

I don't think they are talking about mouse events the website can observe. Firefox needs to figure out where the video is and make it's UI on top of that work, there is no observable interaction with the site DOM or its event handlers.

[hoten]

The post says that the video element is told it's being hovered, although it is unclear if that means the rendering context has that element set to hover (thus CSS changes even if pointer events is set to none), or that some internal-to-the-browser state is set to hover for the video.

[stingraycharles]

Yeah I must agree with you. Reading that part, I could only think: “Someone will figure out how to turn this into a major security issue.”

It sounds like the kind of stuff that clickjackers use, but this sounds like it could be used for even more nefarious purposes.