[whatwg] Full Screen API Feedback
philipj at opera.com
Thu May 19 04:30:14 PDT 2011
On Thu, 19 May 2011 12:22:44 +0200, Robert O'Callahan
<robert at ocallahan.org> wrote:
> On Thu, May 19, 2011 at 9:34 PM, Philip Jägenstedt
> <philipj at opera.com>wrote:
>> Regarding user prompts, I am tentatively in favor of the approach that
>> appears to be arguing for, which is to never prompt the user but rather
>> simply require direct user interaction in order to go to fullscreen
> The rest sounds reasonable, but I doubt "requiring direct user
> (by which I assume you mean requiring the user to click somewhere
> in the page) provides any meaningful security benefit. I certainly think
> have a hard time convincing our security people of that!
That would not be the only line of defense and is as much an
anti-annoyance feature like pop-up blocking as it is part of making it
abundantly clear to the user what page has gone into fullscreen and why.
This is certainly *relevant* to security, although not the only component.
Are there security issues with this setup?
* fullscreen can only be requested by direct user interaction
* fullscreen is entered with an animation
* after entering fullscreen (for the first time on a site, or whatever
rules the UA imposes), it's impossible to interact with the page until the
user acknowledges that they want to stay in fullscreen, with the page
dimmed in the background.
The last point could be replaced by whatever the UA thinks is enough to be
sure that the user realizes what has happened, prompting wouldn't be
More information about the whatwg