- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Fri, 13 May 2011 10:46:18 +0300
On Thu, 2011-05-12 at 20:29 -0400, Aryeh Gregor wrote: > In > particular, Flash has allowed this for years, with 95%+ penetration > rates, so we should already have a good idea of how this feature can > be exploited in practice. I don't know of exploits in the wild, but I've read about proof-of-concept exploits that overwhelmed the user's attention visually so that the user didn't notice the "Press ESC to exit full screen" message. This allowed subsequent UI spoofing. (I was unable to find the citation for this.) Unfortunately, trying to mitigate this problem without explicit per-origin permission management means that the browser would need to take over the whole screen to show a warning for a few moments in such a way that during that time the site has no way to show its own distractions. That would be very annoying on legitimate sites. (With my user hat on, I'm already annoyed by the "Press ESC to exit full screen" in the Flash mode of YouTube.) Also, it would be less aesthetically pleasing than having a part of the page animate to zoom to full screen. Limiting keyboard entry to arrow keys, space and such nontextual input mitigates the impact of UI spoofing attacks somewhat. However, for full-screen games, it might be useful to be able to request more keyboard input (as mentioned in the proposal). It would be good to keep in mind that the API needs to support requesting keyboard permissions, and it might be considered odd to have totally different API flows for the keyboard-enabled case and for the keyboard-limited case. -- Henri Sivonen hsivonen at iki.fi http://hsivonen.iki.fi/
Received on Friday, 13 May 2011 00:46:18 UTC