Re: full screen api from Florian Bösch on 2012-10-12 (public-webapps@w3.org from October to December 2012)

From: Florian Bösch <pyalot@gmail.com>
Date: Fri, 12 Oct 2012 20:25:22 +0200
To: "Carr, Wayne" <wayne.carr@intel.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAOK8ODiRc7xNO7+KtYmWupZgry7mDtKowLJBt9CQ4uYzc9GuZg@mail.gmail.com>

There was a limited discussion on that a few days ago with the limited
consensus (?) being that requiring user-consent up front before switching
to fullscreen is desired, should be in the standard and isn't sacrificing
UX.

On Fri, Oct 12, 2012 at 8:20 PM, Carr, Wayne <wayne.carr@intel.com> wrote:

>  There’s a recent post on a phishing attack using the full screen api
> [1][2}[3].
>
> Running the example attack, Firefox and Chrome both put up a popup at the
> top saying the site has gone full screen and asking to approve or deny.
> But for both of them the screen is already full screen and active (Firefox
> greys the content but doesn’t disable it).  So if the user doesn’t see the
> popup or ignores it, they can think they’re interacting with another site.
> In the example, it is a bank.
>
> Why not require in the spec that it doesn’t go full screen until after the
> user approves?  That would at least force the user to pay attention to the
> popup.  A note in the warning to users that full screen apps can  mimic
> other sites may be useful.
>
> The draft now says “User agents should ensure, e.g. by means of an
> overlay, that the end user is aware something is displayed fullscreen.”.
>
> That “should” should be “MUST” and it should say no switch can happen to
> full screen until after the user has approved.
>
> The draft also says “This specification was published by the *WHATCG*<http://www.w3.org/community/whatwg/>.
> It is not a W3C Standard nor is it on the W3C Standards Track”  which is a
> bit confusing for a draft I got off the WebApps WG page, is a deliverable
> in the WebApps charter and which has been published as a FPWD by the WG.
>
> [1] *http://feross.org/html5-fullscreen-api-attack/*<http://feross.org/html5-fullscreen-api-attack/>
> [2] *
> http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912
> *<http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912>
> [3] *http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html*<http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html>
>
>

Received on Friday, 12 October 2012 18:25:50 UTC