Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

On Tue, Oct 23, 2012 at 12:50 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> Based on all this, I continue to think that requesting keyboard access
> should involve separate API, so that it can be feature-detected and given
> different security treatment by vendors as desired. This is what Flash does,
> and they have the most experience dealing with the security implications of
> fullscreen on the Web.

Gecko and Chrome have indicated they do not desire this distinction.
You have indicated your desire to maybe enable keyboard access in the
future, but you do not have a thought out UI. Given this is the data
we are working with it seems unwise to change direction at this point.

The specification is modeled after Gecko and Chrome and very much
intents to have keyboard access working. As per usual, everything that
is not restricted is expected to work.

I am willing to add some wording to the security section to make the
risks of keyboard access more clear. Does anyone have some suggested
wording?


-- 
http://annevankesteren.nl/

Received on Tuesday, 18 December 2012 14:45:16 UTC