1,295
edits
Changes
→Jesse's concerns
** Spoof your bank, asking you to enter your password or PIN with an on-screen keypad. This is actually a plausible request from a bank! In an attempt to defeat simple keyloggers, some banks require the use of an on-screen keypad. (Examples: [https://www.westpac.com.au/ Westpac], [http://boingboing.net/2005/02/12/citibank_uk_banking_.html others])
** On a touch-screen device, what you think is your on-screen keyboard could actually be part of the web page.
** (This could be mitigated by replacing "full screen without keys" with "full screen with video-like controls only": any user interaction makes a scrubber and volume controls appear.)''roc: this version of full-screen wouldn't address any of the use-cases for full-screen (beyond making a video full-screen with browser controls, which we already support).''
* It allows spoofing for the purpose of '''tricking the user to take an action later or outside of the browser'''.
** Spoof your bank, saying you "Please call us to discuss possible fraud on your account". Supply an attacker-controlled phone number.
** Spoof https://twitter.com/, showing tweets indicating your company has been bought by AOL.
** Spoof https://www.facebook.com/, showing fake evidence that your wife is cheating on you.
** Spoof the [http://support.apple.com/kb/ht1392 You need to restart your computer] screen. Are you going to think of pressing Esc, or are you going to power-cycle?''roc: there's no reason for attackers to want to do this.''
** More generally, this makes it more difficult to explain how to find out which site you're on. Instead of "look at the address bar…", instructions must start with "press Esc, then look at the address bar…".
* Entering full-screen mode '''reveals the screen size''', which is a privacy/fingerprinting hazard (assuming we fix {{bug|418986}}).
Advantages:
* No need for a auto-allow-but-limited-input mode, with all the security and usability problems it brings.
* Fewer clicks. One click (on the toolbar button) instead of two (one in the page, one to allow).''roc: not a real advantage since we'd either avoid a prompt-based UI or if we have a prompt-based UI, we'd have 'remember this decision' so most of the time only the in-page click would be needed.''
* We don't have to worry about timing or confusion attacks against the permission UI.
* Consistent UI across the web.
* Harder for youtube-in-iframe to become full-screen.
* Uses toolbar space.
* ''roc: not clear how to make it work when there's more than one element in the page that you might want to make full-screen.''
* ''roc: not discoverable by users looking for in-page UI.''
== Issues ==
