[whatwg] api for fullscreen() - security issues

Henri Sivonen hsivonen at iki.fi
Mon Feb 1 01:14:59 PST 2010

On Jan 31, 2010, at 05:08, Simon Fraser wrote:

> * disallow enterFullscreen() from a frame or iframe

This might be a problem if video sites transition their embedding boilerplate to an iframe in order to be able to be able to serve HTML5, Flash, ActiveX, etc. depending on UA without requiring the embedders to copy and paste anything fancy.

> * show an hard-to-spoof overlay with some text that tells the user that they can use the Escape key to exit fullscreen, and prevent the page from capturing this keypress.

IIRC, it has been shown that at least as implemented in Flash Player, it is possible to draw enough distractions to make the users unable to read this message. Also, when the site is legitimate, it's quite annoying to have the overlay there.

Personally, I'd rather have to click through a once per-Origin authorization bar (like geolocation in Firefox) than watch the "press esc" overlay every time.

> * make the location field available to the user so that they can see the URL even when in fullscreen

This defeats the point of full screen. If I want a 16:9 video to go full screen on a 16:9 display, I want all screen pixels to be used for the video.

> * drop out of fullscreen if navigating to another page

This would constrain slide shows do be unnecessarily Ajaxy and less linkable with per-slide JavaScriptless URLs.

Henri Sivonen
hsivonen at iki.fi

More information about the whatwg mailing list