[whatwg] Full Screen API Feedback

Philip Jägenstedt philipj at opera.com
Thu May 19 04:30:14 PDT 2011

On Thu, 19 May 2011 12:22:44 +0200, Robert O'Callahan  
<robert at ocallahan.org> wrote:

> On Thu, May 19, 2011 at 9:34 PM, Philip Jägenstedt  
> <philipj at opera.com>wrote:
>> Regarding user prompts, I am tentatively in favor of the approach that  
>> Jer
>> appears to be arguing for, which is to never prompt the user but rather
>> simply require direct user interaction in order to go to fullscreen
> The rest sounds reasonable, but I doubt "requiring direct user  
> interaction"
> (by which I assume you mean requiring the user to click somewhere  
> (anywhere)
> in the page) provides any meaningful security benefit. I certainly think  
> I'd
> have a hard time convincing our security people of that!

That would not be the only line of defense and is as much an  
anti-annoyance feature like pop-up blocking as it is part of making it  
abundantly clear to the user what page has gone into fullscreen and why.  
This is certainly *relevant* to security, although not the only component.

Are there security issues with this setup?

* fullscreen can only be requested by direct user interaction
* fullscreen is entered with an animation
* after entering fullscreen (for the first time on a site, or whatever  
rules the UA imposes), it's impossible to interact with the page until the  
user acknowledges that they want to stay in fullscreen, with the page  
dimmed in the background.

The last point could be replaced by whatever the UA thinks is enough to be  
sure that the user realizes what has happened, prompting wouldn't be  

Philip Jägenstedt
Core Developer
Opera Software

More information about the whatwg mailing list