- From: Florian Bösch <pyalot@gmail.com>
- Date: Fri, 12 Oct 2012 20:25:22 +0200
- To: "Carr, Wayne" <wayne.carr@intel.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>
- Message-ID: <CAOK8ODiRc7xNO7+KtYmWupZgry7mDtKowLJBt9CQ4uYzc9GuZg@mail.gmail.com>
There was a limited discussion on that a few days ago with the limited consensus (?) being that requiring user-consent up front before switching to fullscreen is desired, should be in the standard and isn't sacrificing UX. On Fri, Oct 12, 2012 at 8:20 PM, Carr, Wayne <wayne.carr@intel.com> wrote: > There’s a recent post on a phishing attack using the full screen api > [1][2}[3]. > > Running the example attack, Firefox and Chrome both put up a popup at the > top saying the site has gone full screen and asking to approve or deny. > But for both of them the screen is already full screen and active (Firefox > greys the content but doesn’t disable it). So if the user doesn’t see the > popup or ignores it, they can think they’re interacting with another site. > In the example, it is a bank. > > Why not require in the spec that it doesn’t go full screen until after the > user approves? That would at least force the user to pay attention to the > popup. A note in the warning to users that full screen apps can mimic > other sites may be useful. > > The draft now says “User agents should ensure, e.g. by means of an > overlay, that the end user is aware something is displayed fullscreen.”. > > That “should” should be “MUST” and it should say no switch can happen to > full screen until after the user has approved. > > The draft also says “This specification was published by the *WHATCG*<http://www.w3.org/community/whatwg/>. > It is not a W3C Standard nor is it on the W3C Standards Track” which is a > bit confusing for a draft I got off the WebApps WG page, is a deliverable > in the WebApps charter and which has been published as a FPWD by the WG. > > [1] *http://feross.org/html5-fullscreen-api-attack/*<http://feross.org/html5-fullscreen-api-attack/> > [2] * > http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912 > *<http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912> > [3] *http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html*<http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html> > >
Received on Friday, 12 October 2012 18:25:50 UTC