RE: full screen api from Carr, Wayne on 2012-10-15 (public-webapps@w3.org from October to December 2012)

From: Carr, Wayne <wayne.carr@intel.com>
Date: Mon, 15 Oct 2012 20:21:40 +0000
To: Chris Pearce <cpearce@mozilla.com>
CC: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <52F8A45B68FD784E8E4FEE4DA9C6E52A3FC4A5EE@ORSMSX101.amr.corp.intel.com>

> If you're going to argue that people won't pay attention to an approval prompt shown after entering fullscreen, then the same argument also applies to showing the approval UI before entering fullscreen.

Yes, except if you don’t go full screen they can’t make it look like your browser has navigated to your bank.  So that is much better.

It isn’t enough that some implementers can do something safe.  The spec shouldn’t let it be the case that an app can go full screen and imitate the Browser to fool the user about where they are.

> If permission must be requested before entering fullscreen there's no way for script to distinguish between the case of the user
> being about to approve/deny the permisison request, or the user having ignored the permission request. So it's harder for script to know whether/when it should take its fallback path.

If the user denies the request, I’d think the fullscreenerror would get fired so the script would know it isn’t going full screen.  The also would have never gotten the full screen changed event.  So it knows if the user said yes or not.

From: Chris Pearce [mailto:cpearce@mozilla.com]
Sent: Sunday, October 14, 2012 3:52 PM
To: Carr, Wayne
Cc: public-webapps@w3.org
Subject: Re: full screen api

On 13/10/12 07:20, Carr, Wayne wrote:
There’s a recent post on a phishing attack using the full screen api [1][2}[3].

It's worth noting that this attack has been possible in Flash for years, and the sky hasn't fallen.

Running the example attack, Firefox and Chrome both put up a popup at the top saying the site has gone full screen and asking to approve or deny.  But for both of them the screen is already full screen and active (Firefox greys the content but doesn’t disable it).  So if the user doesn’t see the popup or ignores it, they can think they’re interacting with another site.  In the example, it is a bank.

Why not require in the spec that it doesn’t go full screen until after the user approves?

This is basically for scripts/authors' benefit. If permission must be requested before entering fullscreen there's no way for script to distinguish between the case of the user being about to approve/deny the permisison request, or the user having ignored the permission request. So it's harder for script to know whether/when it should take its fallback path.

However I believe the current specification could be interpreted to allow a permission prompt before entering fullscreen; the specification for requestFullscreen() says it runs asynchronously, which gives scope for a permission request before or approval request after entering fullscreen.

  That would at least force the user to pay attention to the popup.

If you're going to argue that people won't pay attention to an approval prompt shown after entering fullscreen, then the same argument also applies to showing the approval UI before entering fullscreen.

Regards,
Chris Pearce.

Received on Monday, 15 October 2012 20:22:18 UTC