Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

On Tue, Oct 16, 2012 at 10:56 PM, Vincent Scheib <scheib@google.com> wrote:

> However, if other browsers only implement fullscreen without keyboard
> support then clearly it would be best if developers could detect this when
> composing their application interface, avoiding prompting users to enter
> fullscreen if it will not work correctly.
>
It is absolutely mandatory that if entering fullscreen will disable random
capabilities (such as the keyboard) that developers can query that. The
reason as you've mentioned is that if you enter fullscreen and things stop
working, that is not an acceptable situation. Users will think the
application has a bug and close the sites tab.

In the presence of an unknown working state after entering fullscreen,
developers could never place a button to allow entering fullscreen.
Developers would have to hide the option to enter fullscreen behind a
dialog educating users that they can enter fullscreen, but if things stop
working it is not the fault of the application offering that button, but of
the browser vendor, and that instead of closing a tab of a bugged
application, they should try it without fullscreen and pretty please don't
blame the developer for making a buggy app. I consider that bad UX btw.

Received on Tuesday, 16 October 2012 22:39:29 UTC