[whatwg] api for fullscreen() - security issues

Simon Fraser smfr at me.com
Mon Feb 1 08:00:42 PST 2010

On Feb 1, 2010, at 1:14 AM, Henri Sivonen wrote:

> On Jan 31, 2010, at 05:08, Simon Fraser wrote:
>> * disallow enterFullscreen() from a frame or iframe
> This might be a problem if video sites transition their embedding boilerplate to an iframe in order to be able to be able to serve HTML5, Flash, ActiveX, etc. depending on UA without requiring the embedders to copy and paste anything fancy.

Perhaps we'd enforce a same-origin rule where the iframe contents have to be from the same domain as the main page, then?
>> * show an hard-to-spoof overlay with some text that tells the user that they can use the Escape key to exit fullscreen, and prevent the page from capturing this keypress.
> IIRC, it has been shown that at least as implemented in Flash Player, it is possible to draw enough distractions to make the users unable to read this message.

That's why I said "hard to spoof". The Flash overlay makes the mistake of not being contrasty enough. An improvement would be to dim out the rest of the content while showing this overlay.

> Also, when the site is legitimate, it's quite annoying to have the overlay there.
> Personally, I'd rather have to click through a once per-Origin authorization bar (like geolocation in Firefox) than watch the "press esc" overlay every time.

That's a possibility, yes.

>> * make the location field available to the user so that they can see the URL even when in fullscreen
> This defeats the point of full screen. If I want a 16:9 video to go full screen on a 16:9 display, I want all screen pixels to be used for the video.

I said "make available", not "should be visible at all times". I was thinking of a behavior where it shows up at the top of the screen if the user moves the mouse close to the top.

>> * drop out of fullscreen if navigating to another page
> This would constrain slide shows do be unnecessarily Ajaxy and less linkable with per-slide JavaScriptless URLs.

Maybe a same-origin test could be used here too? But personally I think it's OK to force a fullscreen "application" to rely on AJAX and twiddling location.hash, rather than loading new pages.


More information about the whatwg mailing list