- From: Dave Singer <singer@apple.com>
- Date: Tue, 30 Oct 2007 09:20:49 +0100
At 5:47 +0000 30/10/07, Ian Hickson wrote: > > > Also, if the setting exists, it's far easier to trick users into >> > setting it than if it doesn't. >> >> Out of curiousity, is an automatic switch to full screen without the >> user's consent considered an annoyance/usability problem or a >> security/fishing attack/vulnerability problem or both? >> >> FWIW, it's only the former IMO. > >The former, yes. I think if you can collect keystrokes then phishing is also on the cards, alas. > > If someone does ask why scripts can't switch to full screen, what would >> the reason(s) be? >> >> 1. There doesn't seem to be much demand for it. >> >> 2. It's not clear what would be the best way for UAs to provide the >> functionality while preventing sites from taking advantage of the >> feature and annoying users. > >Both, and also that it's considered ok for the user to have to tell the UA >that he wants to go fullfreen (rather than the script having to tell the >UA that the user wants to go fullscreen). I think there's both demand and precedent; and if it's not in the spec., as I say, it should be explicitly excluded with its reasons, so browser makers don't simply all add it as an extension. That way, we'd get all the problems again, plus an interoperability problem as well. -- David Singer Apple/QuickTime
Received on Tuesday, 30 October 2007 01:20:49 UTC