NoScript already inherently blocks this, and even if you allow the domain that provides the script that tries to go full-screen, and allow the full-screen transition, the web page pretending to be a desktop doesn't cover the NoScript toolbar that's still prompting for permissions on the other domains. I suspect the anti-clickjacking measures would kick in if the phishing site tried to incorporate the real site as a base layer.
NoScript does not seem to have any features targeted directly at HTML5 fullscreen, though.
It's increasingly difficult to browse websites with NoScript and Request Policy add-ons. There are websites that download JS from more than a dozen different domains. Moreover, it seems that a lot of web developers (including some here) simply dismiss NoScript users "not our target audience". Emerging "HTML" standards don't make this situation any better, since they are pretty much aimed at developing websites in JavaScript, not HTML.
This is why I want to fork Chrome and create a secure and privacy-aware browser.
* Take out everything Google-related, including safebrowsing
* Rip out Flash and Java
* Integrate NoScript
* Integrate an alternate html5/canvas based video player
* Integrate third-party request blocking
* No cookies by default
* Strip out all the tracking id's in URLs (eg. Google search results pages, back to just plain old ?s=search+query)
* Automatically clear cookies such as the __ut* cookies from analytics
* Incognito by default
* Introduce a concept of 'installing' trusted sites that would be allowed to run scripts, etc. not too dissimilar to how desktop computing works
I have had this idea for over a year now, but haven't gone far in implementing it other than doing a test build of chromium with incognito by default and some default extensions.
It came about because my dad and other family members have each had spyware or rootkits installed on their machines. 99.99% of drive-by exploits can be stopped by simply not running IE and switching off Flash and Java.
It would be a browser where you don't have to explain everything, just marketed/renown as being a browser focused on privacy and security features for everyday users.
When I get a chance, I am contemplating putting a team together and forking this as an open source project. If such a project is of interest to anybody else, get in touch (via email in profile).
the idea is that you have a button next to the URL to install it, from where it just runs as normal (albeit still without third-party cookies, as with fb buttons)
it could also do something smart with the type of javascript being executed. for eg. the concern with javascript is dyn generating forms or iframes and auto-submitting. etc. something that you can't do with extensions but you can do with a separate browser.
Firefox extensions can certainly do that. For example NoScript has IFrame blocking built-in, it's just disabled by default. More importantly, its ClearClick feature prevents clickjacking even with IFrames enabled.
You're right that Chrome extensions can't do that, though.
NoScript does not seem to have any features targeted directly at HTML5 fullscreen, though.