On Oct 14, 2012, at 3:52 PM, Chris Pearce <cpearce@mozilla.com> wrote:
> On 13/10/12 07:20, Carr, Wayne wrote:
>> There’s a recent post on a phishing attack using the full screen api [1][2}[3].
>
> It's worth noting that this attack has been possible in Flash for years, and the sky hasn't fallen.
For most of that time, Flash has either not allowed any keyboard input, or allowed only non-alphanumeric keys. That has significantly different security characteristics against a phishing threat model than full-keyboard-enabled fullscreen.
Just recently (in Flash 11.3) they added optional full keyboard input, but that puts up a separate permission prompt and doesn't pass through keys until the user approves.
Regards,
Maciej