Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

On Oct 15, 2012, at 5:01 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> On 16/10/12 11:39, Maciej Stachowiak wrote:
>> 
>> That's why I liked having a separate API to request fullscreen with full alphanumeric keyboard access. This allows apps to determine if fullscreen with keyboard is available on a given browser, and allows browsers to set separate security policies for that case.
> 
> Would you implement keyboard access in fullscreen via this API if we spec'd it? Or are you looking for a way to for authors to determine if key input isn't supported in fullscreen mode?

Our most likely short-term goal would be the latter (enabling capability detection) but I wouldn't take full keyboard access off the table forever. We would want the freedom to apply different security policy to that case when/if we do it though. 

> 
> 
>> I think the spec should change back to having two distinct APIs, even though Mozilla is not interested in making a distinction between the two cases.
> 
> I'd say fullscreen video is the only fullscreen use case where page script shouldn't need key events dispatched to it. I'm sure some other fullscreen uses wouldn't want key events, but most non-trivial users of fullscreen would want keyboard shortcuts or input.

Many games could work with only non-alphanumeric keys or in some cases only the mouse. As could slideshows. You only need space/enter/arrows for a full screen slide presentation.

What are the cases where webpage-driven (as opposed to browser-chrome-driven) fullscreen is really compelling, but they need full keyboard access including alphanumeric keys? (Not saying there aren't any, I am just not sure what they would be - fullscreen Nethack?)

> 
> Anyway, I'm curious what the Chrome guys think.

Likewise.


Cheers,
Maciej

Received on Tuesday, 16 October 2012 05:49:22 UTC