[whatwg] api for fullscreen()

Jonas Sicking jonas at sicking.cc
Wed Dec 16 23:17:26 PST 2009


2009/12/16 Ian Fette (イアンフェッティ) <ifette at google.com>:
> 2009/12/16 Jonas Sicking <jonas at sicking.cc>
>>
>> 2009/12/16 Ian Fette (イアンフェッティ) <ifette at google.com>:
>> > I think what I've heard from application developers over and over again
>> > is
>> > that, while the UA may provide some way to go into full screen from in
>> > the
>> > browser chrome, it is much more discoverable when that capability exists
>> > from within the content area (e.g. people are used to clicking on the
>> > full
>> > screen button in YouTube, and when you take that away users can no
>> > longer
>> > figure out how to go full screen).
>> > Obviously there are security considerations re: UI spoofing, but I'm
>> > beginning to wonder how much we should beat ourselves over this. If
>> > there
>> > are simple things that we can do to improve upon the model Flash uses
>> > (e.g.
>> > don't have a translucent overlay but instead use an opaque overlay, or
>> > use
>> > an overlay that doesn't go away until the user dismisses it, etc)
>> > without
>> > totally killing current use cases and discoverability, then let's
>> > consider
>> > that. Overall though, it feels like we are burying our head in the sand
>> > a
>> > bit by saying "Well, as long as HTML doesn't provide a way to go full
>> > screen, the users are safe and it's not *our* fault if anything bad
>> > happens," when the reality is that Flash is installed on 98-99% of all
>> > machines out there and anyone who is really trying to phish people using
>> > this method could easily use flash instead of whatever we provide. (And
>> > yes
>> > I'm aware people can turn off flash, but those users sophisticated
>> > enough to
>> > use noflash can probably figure out if they are in full-screen mode or
>> > not.)
>> > -Ian
>>
>> In addition to UI spoofing there is also the "annoying websites"
>> factor. There is today API for pages to resize the browser window,
>> which I know that some pages abuse to resize the browser window to be
>> as big as possible. This API is one of very few that Firefox has
>> specific API to turn off, because its one of the APIs that annoy users
>> the most.
>>
>
> You could tie it to user gestures, e.g. only allow a page to call
> fullscreen() in response to a user gesture, much as many browsers will block
> popups that do not result from a user gesture. Not perfect, but a large
> improvement.
>
>>
>> As for flash going full screen. I heard something regarding that while
>> in full screen mode flash disables certain capabilities, in order to
>> reduce the risk of spoofing. Such as the ability to receive keyboard
>> events. Haven't investigated this at all though.
>>
>
> correct
>
>>
>> I'm also not sure what you mean by "can probably figure out if they
>> are in full-screen mode or not". How would you figure this out? Other
>> than by installing a non-standard skin for your desktop or browser?
>>
>
> If you can only call fullscreen() in response to a user gesture, and there
> is some reasonably obvious thing that happens when you go full screen
> (hopefully a bit more obvious than what Flash currently does), then I'm
> hoping a sophisticated user who knows about noflash could figure out that
> they just went into fullscreen. As for the unsophisticated user, they're
> already "at risk" by flash, hopefully we could do better than flash, but if
> not, I think I would be willing to accept being on-par with Flash on this
> issue.

You need to ensure that the user is actively looking at the screen
though. If the user is getting back to a screen that is now in
fullscreen mode it seems hard to impossible to tell in the general
case. Unless you slab a bar at the top screen that constantly says
"Fullscreen mode, take caution".

I guess that if you enforced that fullscreen could only happen in
response to a click then you are in better shape. I'd say you should
try implementing this in chrome :)

As for comparisons to flash, one of the goals of the mozilla project
is to improve the web, not stay on par with flash ;)

/ Jonas


More information about the whatwg mailing list