W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: full screen api

From: Florian Bösch <pyalot@gmail.com>
Date: Fri, 12 Oct 2012 20:25:22 +0200
Message-ID: <CAOK8ODiRc7xNO7+KtYmWupZgry7mDtKowLJBt9CQ4uYzc9GuZg@mail.gmail.com>
To: "Carr, Wayne" <wayne.carr@intel.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
There was a limited discussion on that a few days ago with the limited
consensus (?) being that requiring user-consent up front before switching
to fullscreen is desired, should be in the standard and isn't sacrificing

On Fri, Oct 12, 2012 at 8:20 PM, Carr, Wayne <wayne.carr@intel.com> wrote:

>  There’s a recent post on a phishing attack using the full screen api
> [1][2}[3].
> Running the example attack, Firefox and Chrome both put up a popup at the
> top saying the site has gone full screen and asking to approve or deny.
> But for both of them the screen is already full screen and active (Firefox
> greys the content but doesn’t disable it).  So if the user doesn’t see the
> popup or ignores it, they can think they’re interacting with another site.
> In the example, it is a bank.
> Why not require in the spec that it doesn’t go full screen until after the
> user approves?  That would at least force the user to pay attention to the
> popup.  A note in the warning to users that full screen apps can  mimic
> other sites may be useful.
> The draft now says “User agents should ensure, e.g. by means of an
> overlay, that the end user is aware something is displayed fullscreen.”.
> That “should” should be “MUST” and it should say no switch can happen to
> full screen until after the user has approved.
> The draft also says “This specification was published by the *WHATCG*<http://www.w3.org/community/whatwg/>.
> It is not a W3C Standard nor is it on the W3C Standards Track”  which is a
> bit confusing for a draft I got off the WebApps WG page, is a deliverable
> in the WebApps charter and which has been published as a FPWD by the WG.
> [1] *http://feross.org/html5-fullscreen-api-attack/*<http://feross.org/html5-fullscreen-api-attack/>
> [2] *
> http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912
> *<http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912>
> [3] *http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html*<http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html>
Received on Friday, 12 October 2012 18:25:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:49 UTC