Re: Defenses against phishing via the fullscreen api (was Re: full screen api) from Florian Bösch on 2012-10-22 (public-webapps@w3.org from October to December 2012)

From: Florian Bösch <pyalot@gmail.com>
Date: Tue, 23 Oct 2012 01:38:08 +0200
To: Maciej Stachowiak <mjs@apple.com>
Cc: Chris Pearce <cpearce@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>, Feross Aboukhadijeh <feross@feross.org>, Jonas Sicking <jonas@sicking.cc>
Message-ID: <CAOK8ODjHJ22x-3p7PazJy59rKMNx1yf9SZVGznxEGTocWfB4dw@mail.gmail.com>

On Tue, Oct 23, 2012 at 12:50 AM, Maciej Stachowiak <mjs@apple.com> wrote:

> Based on all this, I continue to think that requesting keyboard access
> should involve separate API, so that it can be feature-detected and given
> different security treatment by vendors as desired. This is what Flash
> does, and they have the most experience dealing with the security
> implications of fullscreen on the Web.
>
I support the notion that if not all vendors can agree on the exact
behavior/restrictions that an API is required to make this transparent to
the application developer both before attempting to request fullscreen
(capability discovery) and as a parameter to request fullscreen (which will
only succeed if that capability is offered).

Received on Monday, 22 October 2012 23:38:37 UTC