[whatwg] Feedback on the Mozilla FullScreen API proposal

[Robert O'Callahan]

On Sat, Aug 7, 2010 at 1:39 AM, Mike Wilcox <mike at mikewilcox.net> wrote:

> Kudos to Mozilla (and Robert?). This is awesome. It does appear that you
> plan to allow fullscreen without the use of a user-trigggered event such as
> a button-click like Flash does.


The proposed spec allows that, but I think browsers are likely to prevent
"drive-by fullscreen".

First a small thing. The format of the CSS style:
> :full-screen
> :full-screen-root-with-target
> I don't see why "fullscreen" should be hyphenated. Even the title of the
> page uses it as one word.
>

I could go either way, but "full-screen" technically more correct. BTW you
seem to be reading an old version of the spec.

I don't understand the use of requestFullScreenWithKeys(). Why would I ever
> use a more restrictive method?


As the spec explains, by opting into more restrictions, you can get a lower
bar to access fullscreen mode.


> I assume the entire reason for security is for third party apps (video) and
> advertisements (have I missed an actor?).
>

There's a set of problems there, but there's another set of problems where
the user simply visits evil.com and that site tries to go fullscreen to
launch some kind of spoofing attack.

The first, simple use case I'm looking to solve is to block your ads from
> using fullscreen. I don't see a way to do that in the spec. I recommend the
> above options are properties of the document.body:
>        <body allowFullscreen="blocked">
>

This kind of thing would be better expressed with CSP.

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100807/8a87c05b/attachment-0002.htm>