This hack works by disabling the real cursor (using a custom CSS cursor image set to a transparent png), then moving around a fake cursor image using JS.
See by comparison this hack I made a few months ago [1], which uses a dynamic CSS cursor image (drawn in JS). The interesting thing it shows is that CSS cursors can escape the viewport, leading to possible security issues.
Same here on a non-hdpi screen (Dell Chromebook 11). The fake padlock appears inside the body and it's quite clearly not part of the browser. Not sure if something changed since it was built or maybe it only works in certain browsers, but certainly doesn't seem like an exploitable issue here.
Nice hack. It's not obvious whether it still works now that GitHub Pages uses HTTPS, though the fact that clicking on the page triggers the same action as clicking the page icon/padlock suggests it does.
I'm on a Linux machine and figured out the trick fairly quickly: clicking the green padlock does not perform the same action. That's part of the hack too, the interface that pops up is styled like the Windows dialog and isn't interactive. (Clicking on it simply dismisses it.)
It's quite convincing otherwise, and that's very frightening. :)
Interesting trick. I was recently looking through Safari CSS Reference and thought using an image to replace the cursor wasn't allowed: "Although the CSS specification allows it, Safari does not support custom cursors." [0]
What are examples of legitimate use-cases for supporting custom cursors? If you're considering using a custom cursors, keep in mind that not all users keep the normal cursor size. At least on macOS, you can increase the size from the Accessibility panel.
Hopefully the web can start providing access to more built-in accessibility features. One such feature that was added recently is Reduced Motion Media Query [1]. Wouldn't it be great to have a media query for "Increase contrast"? I can't be the only one that's occasionally frustrated from websites that mix 50 shades of barely readable gray.
> What are examples of legitimate use-cases for supporting custom cursors?
We build web applications serving expert users for which this is essential. For precise selection the default cursor often occludes important information. Think of how confusing something like Photoshop, AutoCAD or Maya would be without contextual cursors.
It would be sensible, however, to place behind a permission in the same way as location or notification APIs. Unfortunately most browsers' UX for permissions is awful.
OP is specifically talking about the ability to use arbitrary images as cursors. Why aren't the standard i-beam, crosshair, resize etc cursors enough for your purposes?
Modal function cues: paintbucket, eyedropper, etc.
Common interaction cues that span functions but aren't in the CSS set: multiaxis, rotation, etc.
Not to mention the innumerable domain-specific possibilities. It's another example of the tension between the idea of browser-as-the-future-ubiquitous-platform and browser-as-lowest-common-denominator-mobile-safe-sandbox, which is eroding the established niche of desktop software for deep, focused, domain-optimized work because of the tyranny of CRUDy consumption-focused web apps.
Sometimes you're conveying additional information through the cursor. For example, the default cursor in Photoshop when using the brush tools is a circle that shows your brush width, so that when using the brushes you know which area will be painted (see http://pe-images.s3.amazonaws.com/basics/cs5/preferences/sho... for example). Some other CAD applications show whether a line is freestanding or snapped to another through the cursor as well.
If you’re developing a UI with interesting interactions, you can provide useful and intuitive feedback to the user by changing the cursor, either to reflect what will happen if they click at the current location, or to show that for some reason they can not do something by clicking at the current location.
Exactly what actions are possible or potentially expected but actually not possible will naturally depend on context, including the purpose of the application itself, anything already done by the user, and perhaps other factors like whether the user is holding any keys down at the moment. There are endless possibilities where this idea could be useful, from “fill the intermediate cells using rule X” in a spreadsheet to “guard this ally” in a game.
As an aside, UIs that use this technique may also use larger or more complicated tool tips and/or context menus, which means that a lot of the local status and commands within a UI can be viewed in the immediate vicinity of where they are relevant. On larger screens or UIs that divide the available space into different areas for different purposes, that locality can be useful both for reducing user errors and for increasing efficiency.
I am certain in my heart that the most reasonable use case is to replace the cursor with a detailed gauntlet cursor or severed hand as in Warcraft to let the user know whether they are The Alliance or Horde.
Kidding, of course. But damn I loved that sort of thing back when. Especially being able to do it with weird plugins as a fledgling "webmaster".
> What are examples of legitimate use-cases for supporting custom cursors?
Probably special cursors that indicate a different type of action that can be performed; like the hand-shaped pointer you get when hovering over a button or the various resize arrows, but custom. A tipped paint bucket for example on a website presenting a drawing application.
The repel could be dangerous too. There are plenty of features that websites are legally or ethically obligated to provide, but they would rather users not use them. I'm imagining email newsletters with really hard to click unsubscribe buttons.
Pretty smart once you figure out how it works. Wonder if there's some kind of advanced click-jacking attack you could achieve with a technique like this.
I was thinking about this. You can accumulate the position difference and trick the user into clicking anywhere. I'll try to do that right now and update the demo :)
I expect if the iframe is small enough you could trick the user into clicking a small button as they'll click before they realise. Even if they notice, I bet many users would just click anyway after being briefly confused and put it down to a bug.
In latest Firefox, I keep getting it to show the real and fake cursor by switching tabs, hovering a link in another tab, and switching back. Doesn't work every time though.
If you shift+right click in firefox (and keep the menu open but ignore it), you can see both the real and fake cursor at the same time to see what is really happening
This is pretty ingenious. I wonder if something like this can have an effect on call to action click rates. But I guess if the user notices then they're more likely to be pissed.
See by comparison this hack I made a few months ago [1], which uses a dynamic CSS cursor image (drawn in JS). The interesting thing it shows is that CSS cursors can escape the viewport, leading to possible security issues.
[1]: https://jameshfisher.github.io/cursory-hack/