Hacker News new | comments | show | ask | jobs | submit login

When the standard was being ratified, this came up on the mailing list (I can't find the link right now, I am on my cell).

The solution was that to recommend vendors print warning labels across the top or add a layer of permissions around the feature - which Chrome and Safari have done.

for eg. when I open it I get a message saying 'Chrome is currently in fullscreen mode'. They will likely both also add permission boxes similar to when the browser requests your location.

It is good for developers to understand this, though, but I wouldn't say that the spec is broken, or that this is a bad feature, it can be implemented securely and with warnings. Anti-phishing education for users should involve primarily talking about not trusting links anywhere and typing in the address directly.

Edit: Here it is from the Spec:


> 7. Security and Privacy Considerations

> User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen. See also the definition of requestFullscreen().

> To prevent embedded content from going fullscreen only embedded content specifically allowed via the allowfullscreen attribute of the HTML iframe element will be able to go fullscreen. This prevents untrusted content from going fullscreen.

I am most familiar with Safari and Chrome (have been meaning to get up-to-date with Firefox, which has had a lot of good work put into it) but all of the major browser vendors have done something around this in their own way with both desktop and mobile releases.

It is at the discretion of each vendor how they implement security warnings or settings around full screen mode. They all have slightly different implementations but the end result is that they go some way towards preventing a phishing attack using Fullscreen.

That said, it was a good idea to bring this issue to the attention of developers and users as a potential attack vector and as a demonstration of why the security dialogs are important.

Edit II: The whatwg thread where the security considerations are discussed begins here:


The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.

which Chrome and Safari have done

Firefox does it too, and in a much more obvious way than either Chrome or Safari. Here are all the latest browsers on Mac compared: http://imgur.com/a/jdcI7 (Sorry Opera; I haven't re-installed you yet.)

I actually didn't get any permissions dialog or warning label in Safari 6; maybe I ok'd it for another site at some point in the past, but I definitely didn't whitelist this domain.

I've just tested it in IE 9, apparently it has its own "safety mechanism" - I get the following message:

    Your browser does not support the Fullscreen API.

Safari has no warning or message at all. Just a quick, half-second animation and that's it.

Safari disallows keyboard input in fullscreen mode.

Dear customer, in order to improve the security of your account we have implemented a new on-screen keyboard. Please use the mouse to enter your account number and PIN in order to access online banking.

The fact that this is a real technology being deployed right now doesn't hurt.

Entirely? So no way to use fullscreen mode for keyboard-driven games in saf'?

That's correct, this is why the Facebook full-screen photo viewer is not enabled in Safari even though the API is supported.

That stinks.

These messages do not show any warnings about possible malicious activity. This is enough to get a few not so computer-savvy people to get robbed.

>The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.

Flash disabled all "printing" keys in full-screen mode, and disabled a warning label when entered into the mode. FS could only be entered from user action. So Flash's full-screen mode was limited but fairly secure.

Why do we need a JavaScript based API for this anyway? Wouldn't it be MUCH better to allow websites detect when user presses F11 instead? It's not just about security, it's about managing expectations and familiar UI.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact