The solution was that to recommend vendors print warning labels across the top or add a layer of permissions around the feature - which Chrome and Safari have done.
for eg. when I open it I get a message saying 'Chrome is currently in fullscreen mode'. They will likely both also add permission boxes similar to when the browser requests your location.
It is good for developers to understand this, though, but I wouldn't say that the spec is broken, or that this is a bad feature, it can be implemented securely and with warnings. Anti-phishing education for users should involve primarily talking about not trusting links anywhere and typing in the address directly.
Edit: Here it is from the Spec:
> 7. Security and Privacy Considerations
> User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen. See also the definition of requestFullscreen().
> To prevent embedded content from going fullscreen only embedded content specifically allowed via the allowfullscreen attribute of the HTML iframe element will be able to go fullscreen. This prevents untrusted content from going fullscreen.
I am most familiar with Safari and Chrome (have been meaning to get up-to-date with Firefox, which has had a lot of good work put into it) but all of the major browser vendors have done something around this in their own way with both desktop and mobile releases.
It is at the discretion of each vendor how they implement security warnings or settings around full screen mode. They all have slightly different implementations but the end result is that they go some way towards preventing a phishing attack using Fullscreen.
That said, it was a good idea to bring this issue to the attention of developers and users as a potential attack vector and as a demonstration of why the security dialogs are important.
Edit II: The whatwg thread where the security considerations are discussed begins here:
The first post rightly points out that Flash had the feature implemented in a non-secure manner for a long time.
Firefox does it too, and in a much more obvious way than either Chrome or Safari. Here are all the latest browsers on Mac compared: http://imgur.com/a/jdcI7 (Sorry Opera; I haven't re-installed you yet.)
I actually didn't get any permissions dialog or warning label in Safari 6; maybe I ok'd it for another site at some point in the past, but I definitely didn't whitelist this domain.
Your browser does not support the Fullscreen API.
The fact that this is a real technology being deployed right now doesn't hurt.
Flash disabled all "printing" keys in full-screen mode, and disabled a warning label when entered into the mode. FS could only be entered from user action. So Flash's full-screen mode was limited but fairly secure.