Gecko:FullScreenAPI: Difference between revisions

Jump to navigation Jump to search

Gecko:FullScreenAPI (view source)

Revision as of 23:36, 4 October 2011

181 bytes added ,  4 October 2011
→‎Security: noted security review, sorted security sections newest first
(→‎Security: noted security review, sorted security sections newest first)
Line 218: Line 218:
  }
  }
== Security ==
== Security ==
Date of discussion: 2011.04.11
Discussions documented newest first.


Security Concerns:
=== Discussion 2011-10-03 ===
* Ability of website to enter fullscreen and pre-empt keyboard focus
* [[Security/Reviews/Firefox10/CodeEditor/FullScreenAPI]]
* User interaction currently not required for entering full screen mode
* Fullscreen could be used as an attack vector
Responses:
* There is a mode called without keys that does not take keyboard input
* Focus is released on tab change or window change
Possible Remediations:
* ESC key should be used to exit, similar to other well known apps users are familiar with
* A user preference should be available for users to say allow full-screen or dis-allow full screen for a given URL domain (Ie. Popup or geolocation preferences)
* Possible use of some indicator to show a user they are in full-screen mode
* Possible use of permission manager
* Plug-ins should be disabled when in full-screen mode
To-Do
* Re-review as spec firms up and code begins to land


=== Jesse's concerns ===
=== Discussion 2011-04-21 ===
Added 2011-04-21
Jesse's concerns, added 2011-04-21.


I'm worried about having a full screen mode that does not require user permission. In particular, I have three concerns:
I'm worried about having a full screen mode that does not require user permission. In particular, I have three concerns:
Line 274: Line 261:


''Jesse 2011-08-18'': Interesting to note that IE previously had fullscreen=yes but [https://developer.mozilla.org/en/Window.open#Note_on_fullscreen removed it in WinXP SP2].
''Jesse 2011-08-18'': Interesting to note that IE previously had fullscreen=yes but [https://developer.mozilla.org/en/Window.open#Note_on_fullscreen removed it in WinXP SP2].
=== Discussion 2011-04-11 ===
Date of discussion: 2011.04.11
Security Concerns:
* Ability of website to enter fullscreen and pre-empt keyboard focus
* User interaction currently not required for entering full screen mode
* Fullscreen could be used as an attack vector
Responses:
* There is a mode called without keys that does not take keyboard input
* Focus is released on tab change or window change
Possible Remediations:
* ESC key should be used to exit, similar to other well known apps users are familiar with
* A user preference should be available for users to say allow full-screen or dis-allow full screen for a given URL domain (Ie. Popup or geolocation preferences)
* Possible use of some indicator to show a user they are in full-screen mode
* Possible use of permission manager
* Plug-ins should be disabled when in full-screen mode
To-Do
* Re-review as spec firms up and code begins to land


== Issues ==
== Issues ==
Tantek
canmove, Confirmed users
2,675

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/355039"

Navigation menu