[whatwg] Full Screen API Feedback

Henri Sivonen hsivonen at iki.fi
Fri May 13 00:46:18 PDT 2011

On Thu, 2011-05-12 at 20:29 -0400, Aryeh Gregor wrote:
> In
> particular, Flash has allowed this for years, with 95%+ penetration
> rates, so we should already have a good idea of how this feature can
> be exploited in practice.

I don't know of exploits in the wild, but I've read about
proof-of-concept exploits that overwhelmed the user's attention visually
so that the user didn't notice the "Press ESC to exit full screen"
message. This allowed subsequent UI spoofing. (I was unable to find the
citation for this.)

Unfortunately, trying to mitigate this problem without explicit
per-origin permission management means that the browser would need to
take over the whole screen to show a warning for a few moments in such a
way that during that time the site has no way to show its own
distractions. That would be very annoying on legitimate sites. (With my
user hat on, I'm already annoyed by the "Press ESC to exit full screen"
in the Flash mode of YouTube.) Also, it would be less aesthetically
pleasing than having a part of the page animate to zoom to full screen.

Limiting keyboard entry to arrow keys, space and such nontextual input
mitigates the impact of UI spoofing attacks somewhat. However, for
full-screen games, it might be useful to be able to request more
keyboard input (as mentioned in the proposal). It would be good to keep
in mind that the API needs to support requesting keyboard permissions,
and it might be considered odd to have totally different API flows for
the keyboard-enabled case and for the keyboard-limited case. 

Henri Sivonen
hsivonen at iki.fi

More information about the whatwg mailing list