Free display on secure desktop switch

[LeonarddeR]

Link to issue number:

Alternative to #18789
Suggested in #18789 (comment)
Fixes #2315

Summary of the issue:

Currently, braille doesn't work properly on secure screens because the braille display is held by the logged in copy.

Description of user facing changes:

When NVDA is installed, it disconnects braille when entering secure desktop and reconnects when exiting it.

Description of developer facing changes:

None

Description of development approach:

1. Added a secure desktop switch extension point to the braille handler.
2. Set a private class property on the braille display driver to ensure the display isn't cleared, in order to make it clear that the secure desktop was entered. This is communicated with an ui.message in IAccessibleHandler.
3. When leaving secure desktop and auto detect was enabled, try to reconnect to the last detected display before doing a full scan.

Testing strategy:

• Tested via USB with a APH Mantis Q40
• Tested via Bluetooth with a APH Mantis Q40 as the only Bluetooth device available
• Tested both automatic detect and manual display selection cases

Known issues with pull request:

1. After exiting the secure desktop, it takes some time before the display is back in action. I must say though that with Bluetooth this isn't considerably slower
2. When using a custom braille display driver bundled in an add-on, the add-on needs to be available on the system copy of NVDA. This has always been the case though, but is fixable with the approach in WIP: Use remote on Secure Desktop to send speech and braille to the user copy #18789.
3. When using manual braille display selection, reconnecting to the display after closing the secure desktop happens on the main thread. This can lead to a temporary freeze of NVDA, depending on how long it takes for the driver to connect. Note however that the same freeze would occur when starting NVDA.

Open question

• Do we want to make this configurable?

I considered this, but then figured that the UX for this would at least be a bit vague. People never had Braille available on secure screens, and then adding a config option like "disable braille when entering secure desktop" would do exactly the opposite from the user's perspective. Not everyone is aware of the separate copy on secure desktop. Would especially be curious to @Qchristensen's opinion on this matter.

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• API is compatible with existing add-ons.
• Security precautions taken.

[seanbudd]

I like this new approach a lot more.

After exiting the secure desktop, it takes some time before the display is back in action. I must say though that with Bluetooth this isn't considerably slower. I have something in mind to improve this.

I think that adding this feature is worth the trade off. What do you have in mind to improve this?

When using a custom braille display driver bundled in an add-on, the add-on needs to be available on the system copy of NVDA

I think that makes sense for how NVDA should work.

[LeonarddeR]

After exiting the secure desktop, it takes some time before the display is back in action. I must say though that with Bluetooth this isn't considerably slower. I have something in mind to improve this.

I think that adding this feature is worth the trade off. What do you have in mind to improve this?

When a display is detected, we can store its device match on the braille handler as _lastDetectedDisplay. Then, after closing the secure desktop, we initialise detection giving preference to the last detected display.
We can even consider communicating this match to the secure copy, but then we need a more generic way to communicate this kind of things. We could consider making the IPC communication in the NVDA remote client more global.

[LeonarddeR]

Regarding the ux, we can also bind the auto disconnect to the auto detect function only. I think that actually makes much sense. It also avoids NVDA main thread freezes when reinitializing a display on the main thread that was manually detected.

[SaschaCowley]

@LeonarddeR in general this looks pretty good to me. I am a little concerned about not freeing the display if auto-detection is disabled:

• What if the braille display doesn't support auto-detection, but the user has set up their user and secure desktop copies of NVDA to use their display?
• What if they are using a manually selected display, and switch users to another account which also has NVDA (or a different screen reader) and whose user wants to use the same braille display?

[LeonarddeR]

@SaschaCowley wrote:

* What if the braille display doesn't support auto-detection, but the user has set up their user and secure desktop copies of NVDA to use their display?

Behavior won't change this pr, i.e. the display is held by the user session.

* What if they are using a manually selected display, and switch users to another account which also has NVDA (or a different screen reader) and whose user wants to use the same braille display?

They can't as long as the user copy holds the display.

I'm happy to revert that particular change. Do we want to make the new feature configurable instead? I'm a bit worried that especially users of manual display selection will have a more laggy experience when entering and closing secure desktop, especially when Bluetooth is used. That said, I don't think we have Bluetooth displays in core that don't support automatic detection.
Making it configurable makes sense to me, but I find it really hard to come up with something in the GUI that explains the feature well and doesn't utterly confuse people.

[SaschaCowley]

I'd remove the configurability for now. If we hear about cases where this negatively impacts users, we can add configuration back in later.

[Copilot]

Pull Request Overview

This PR enables braille displays to work on secure desktops by automatically disconnecting the display when entering a secure desktop and reconnecting when exiting. This allows the secure desktop copy of NVDA to access the braille display while preventing device conflicts.

• Added secure desktop state change extension point to the braille handler
• Implemented automatic disconnection/reconnection of braille displays on secure desktop transitions
• Added preferred device support to braille detection for faster reconnection

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
user_docs/en/changes.md	Added changelog entry documenting the new braille secure desktop feature
source/gui/settingsDialogs.py	Added bdDetect to advanced settings debug logging options
source/config/configSpec.py	Added bdDetect configuration option for debug logging
source/braille.py	Core implementation of secure desktop switching with display disconnection/reconnection
source/bdDetect.py	Enhanced device detection with preferred device support and improved type annotations

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[LeonarddeR]

@SaschaCowley In that case, I just removed the restriction on auto detect.

[SaschaCowley]

Thanks, @LeonarddeR, this is a very long awaited change