W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Fullscreen feedback

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 20 Aug 2010 23:29:02 -0700
Message-ID: <AANLkTikkFsVOHmVfcKZiw6hfD1TDAQG76wGFpiynWUbt@mail.gmail.com>
On Fri, Aug 20, 2010 at 10:24 PM, Kit Grose <kit at iqmultimedia.com.au> wrote:
> On 21/08/2010, at 3:21 PM, Adam Barth wrote:
>> On Fri, Aug 20, 2010 at 7:25 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
>>> On Sat, Aug 21, 2010 at 8:24 AM, Ian Hickson <ian at hixie.ch> wrote:
>>>> One comment: Rather than adding an "allowfullscreen" attribute on
>>>> <iframe>, I would suggest just assuing that sandboxed content (i.e.
>>>> content of iframes with the sandbox="" attribute) can't go fullscreen. I
>>>> can provide a sandbox flag for this state. If we think there are use cases
>>>> for allowing sandboxed iframes to go fullscreen, then I can also add a
>>>> keyword that turns off the flag when present (like "allow-scripts" does
>>>> for scripts). (I'm assuming there are no cases for disabling fullscreen
>>>> for unsandboxed iframes; are there?)
>>>
>>> What about legacy content that doesn't use "sandbox"? It might expect
>>> cross-origin IFRAMEs to not be able to take over its window, but if the
>>> IFRAME content goes fullscreen, it effectively can.
>>>
>>> I think allowing subframes to go fullscreen should always be opt-in.
>>
>> How is going fullscreen different from opening a popup window?
>
> It's the same document *in the same state* as it was in when you triggered "fullscreen". You would expect fullscreen on a video or animation not to start that video or animation from the beginning or reload it.

I meant from a security model perspective.  :)

Adam
Received on Friday, 20 August 2010 23:29:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC