Confirm
729
edits
Changes
Add my concerns to the Security section
To-Do
* Re-review as spec firms up and code begins to land
=== Jesse's concerns ===
Added 2011-04-21
I'm worried about having a full screen mode that does not require user permission. In particular, I have three concerns:
* It allows spoofing for the purpose of '''tricking the user into giving away information through mouse input'''.
** Spoof your bank, asking you to enter your password or PIN with an on-screen keypad. This is actually a plausible request from a bank! In an attempt to defeat simple keyloggers, some banks require the use of an on-screen keypad. (Examples: [https://www.westpac.com.au/ Westpac], [http://boingboing.net/2005/02/12/citibank_uk_banking_.html others])
** On a touch-screen device, what you think is your on-screen keyboard could actually be part of the web page.
** (This could be mitigated by replacing "full screen without keys" with "full screen with video-like controls only": any user interaction makes a scrubber and volume controls appear.)
* It allows spoofing for the purpose of '''tricking the user to take an action later or outside of the browser'''.
** Spoof your bank, saying you "Please call us to discuss possible fraud on your account". Supply an attacker-controlled phone number.
** Spoof https://www.mozilla.org/, asking you to "download the new version of Firefox".
** Spoof https://twitter.com/, showing tweets indicating your company has been bought by AOL.
** Spoof https://www.facebook.com/, showing fake evidence that your wife is cheating on you.
** Spoof the [http://support.apple.com/kb/ht1392 You need to restart your computer] screen. Are you going to think of pressing Esc, or are you going to power-cycle?
** More generally, this makes it more difficult to explain how to find out which site you're on. Instead of "look at the address bar…", instructions must start with "press Esc, then look at the address bar…".
* Entering full-screen mode '''reveals the screen size''', which is a privacy/fingerprinting hazard.
I should be absolutely sure that after pressing Esc, I'm not in full-screen mode.
* When I'm in full-screen mode, pressing Esc should leave, even if the site uses preventDefault.
* When I'm not in full-screen mode, pressing Esc (or Cmd+W, etc) should not as a "user-initiated event that allows popups and full-screening"
I should be sure that after full-screening YouTube, another site cannot navigate me away from YouTube and remain in full-screen mode. That means changing "There is no requirement to exit full-screen state when a browsing context is navigated to a new page."
'''I'd prefer just putting a full-screen button on our toolbar.''' Let users choose when to full-screen the page themselves. If the user chooses to hide the button, web pages could be allowed to make it appear again temporarily.
Advantages:
* No need for a auto-allow-but-limited-input mode, with all the security and usability problems it brings.
* Fewer clicks. One click (on the toolbar button) instead of two (one in the page, one to allow).
* We don't have to worry about timing or confusion attacks against the permission UI.
* Consistent UI across the web.
Disadvantages:
* Harder for youtube-in-iframe to become full-screen.
* Uses toolbar space.
== Issues ==
