W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2011

[whatwg] Full Screen API Feedback

From: Philip Jägenstedt <philipj@opera.com>
Date: Thu, 19 May 2011 13:30:14 +0200
Message-ID: <op.vvp7koq7sr6mfa@kirk>
On Thu, 19 May 2011 12:22:44 +0200, Robert O'Callahan  
<robert at ocallahan.org> wrote:

> On Thu, May 19, 2011 at 9:34 PM, Philip J?genstedt  
> <philipj at opera.com>wrote:
>
>> Regarding user prompts, I am tentatively in favor of the approach that  
>> Jer
>> appears to be arguing for, which is to never prompt the user but rather
>> simply require direct user interaction in order to go to fullscreen
>
>
> The rest sounds reasonable, but I doubt "requiring direct user  
> interaction"
> (by which I assume you mean requiring the user to click somewhere  
> (anywhere)
> in the page) provides any meaningful security benefit. I certainly think  
> I'd
> have a hard time convincing our security people of that!

That would not be the only line of defense and is as much an  
anti-annoyance feature like pop-up blocking as it is part of making it  
abundantly clear to the user what page has gone into fullscreen and why.  
This is certainly *relevant* to security, although not the only component.

Are there security issues with this setup?

* fullscreen can only be requested by direct user interaction
* fullscreen is entered with an animation
* after entering fullscreen (for the first time on a site, or whatever  
rules the UA imposes), it's impossible to interact with the page until the  
user acknowledges that they want to stay in fullscreen, with the page  
dimmed in the background.

The last point could be replaced by whatever the UA thinks is enough to be  
sure that the user realizes what has happened, prompting wouldn't be  
mandatory.

-- 
Philip J?genstedt
Core Developer
Opera Software
Received on Thursday, 19 May 2011 04:30:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:33 UTC