Re: full screen api from Maciej Stachowiak on 2012-10-15 (public-webapps@w3.org from October to December 2012)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 15 Oct 2012 03:44:06 -0700
To: Chris Pearce <cpearce@mozilla.com>
Cc: "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <D95AA315-4559-4F8C-A4D0-F35E760BA434@apple.com>

On Oct 14, 2012, at 3:52 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> On 13/10/12 07:20, Carr, Wayne wrote:
>> There’s a recent post on a phishing attack using the full screen api [1][2}[3].
> 
> It's worth noting that this attack has been possible in Flash for years, and the sky hasn't fallen.

For most of that time, Flash has either not allowed any keyboard input, or allowed only non-alphanumeric keys. That has significantly different security characteristics against a phishing threat model than full-keyboard-enabled fullscreen.

Just recently (in Flash 11.3) they added optional full keyboard input, but that puts up a separate permission prompt and doesn't pass through keys until the user approves.

Regards,
Maciej

Received on Monday, 15 October 2012 10:44:34 UTC