W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: full screen api

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 15 Oct 2012 03:44:06 -0700
Cc: "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <D95AA315-4559-4F8C-A4D0-F35E760BA434@apple.com>
To: Chris Pearce <cpearce@mozilla.com>

On Oct 14, 2012, at 3:52 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> On 13/10/12 07:20, Carr, Wayne wrote:
>> There’s a recent post on a phishing attack using the full screen api [1][2}[3].
> 
> It's worth noting that this attack has been possible in Flash for years, and the sky hasn't fallen.

For most of that time, Flash has either not allowed any keyboard input, or allowed only non-alphanumeric keys. That has significantly different security characteristics against a phishing threat model than full-keyboard-enabled fullscreen.

Just recently (in Flash 11.3) they added optional full keyboard input, but that puts up a separate permission prompt and doesn't pass through keys until the user approves.

Regards,
Maciej
Received on Monday, 15 October 2012 10:44:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT