Interacting before going full screen wasn't deemed secure enough. Hopefully there will be more granular controls over fullscreen in the future. You can certainly fool people with fake HTML sites today, but our goal is to make sure you can't fool people with FlashPlayer.
-Alex ________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Troy Gilbert Sent: Friday, September 14, 2007 11:32 AM To: [email protected] Subject: Re: [flexcoders] Full Screen Mode I think what I outlined in my e-mail (basically the security that's there already) does that. Require the user to be directly interacting with the Flash applet before allowing fullscreen (fullscreen API only works in keyboard/mouse events). The first time a Flash applet goes fullscreen from a domain name have the player itself prompt the user (similar deal as for webcams and mics). Hell, I'd be fine with disallowing transparent backgrounds in fullscreen apps, that's not something I want and I don't think that most legitimate users of fullscreen want a transparent window. Of course, couldn't your banner ad already do what you describe? Probably not since Flash-based banner ads usually sit in IFRAMES so they're blocked by security domain, but I don't have to go fullscreen to do what you describe: that's all inside the web browser's window and that already works fine. The only problems I could see with fullscreen would largely be griefing from the apps, just like what popups do, and you combat it in the same way: default to blocking it, prompt the user to unblock it, allow them to unblock it permanently site-by-site (which is inline with all of the other security restrictions in the Flash player). It just kinda baffles me that its easier to capture *video* and *audio* from the user's machine than it is to interact with them fullscreen. Seems kinda backwards if security/privacy is a focus! ;-) Troy. On 9/14/07, Alex Harui <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: If you can propose a way that users can know that their input is going to go to some other place on the screen or some hidden process in a browser, then we can allow keyboard access. Otherwise, my banner add will place a transparent window over your yahoo login and phish your password. Mean people suck, and prevent us from giving out functionality as we'd like to. We always opt for very conservative security in first releases of new functionality like fullscreen, until we can figure out how to relax some of those restrictions without inviting mean people to harm others. ________________________________ From: [email protected] <mailto:[email protected]> [mailto: [email protected] <mailto:[email protected]> ] On Behalf Of Troy Gilbert Sent: Friday, September 14, 2007 9:26 AM To: [email protected] <mailto:[email protected]> Subject: Re: [flexcoders] Full Screen Mode I know Adobe has heard an earful on this, but I'd like to stress it again since the issue has again been raised: Fullscreen mode without keyboard support is virtually worthless for almost any app other than playing fullscreen video. Now, I understand that fullscreen video is the primary reason for inclusion of this functionality. Fine. But Adobe needs to pay some serious attention to the world of online games which heavily use the Flash platform. Fullscreen games would be huge, but without keyboard support it simply won't happen. Fullscreen web apps like Picnik would be huge, but without keyboard support its limiting. I think the security requirement that an app can only go to fullscreen inside of a mouse or keyboard event is perfect. I think the security requirement that the ESCAPE key will *always* take the user out of the fullscreen is fine. I'd even be fine with the Flash Player popping open a confirmation dialog when the user wanted to go fullscreen just to be sure (with a corresponding "always for this website" option, just like popup blockers). But preventing all keyboard usage? It just renders fullscreen a completely worthless feature for our products. We would embrace it and brag about it and usher in some spectacular web-based experiences only possible because of the Flash platform, but simply won't be able to because we need a minimum amount of keyboard functionality (filling in a few forms, cursor keys, etc.). AIR isn't the answer for us as the whole reason we've gone with the Flash platform is the instant accessibility (no downloads). Please, please, please Adobe... please give us keyboard access in fullscreen! Please! Troy. On 9/14/07, Nick Collins <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Within the browser, no, but within AIR, yes. Since the Adobe AIR runtime sandbox extends to the local desktop, you can access the file system, and you can run full screen while still being able to use the keyboard and text inputs. On 9/14/07, Yigit Boyar < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: yeah; it is sth that annoyed me; like years ago the removal of file access at flash. (i guess it was flash 4 to 5) anyway; security comes first of course, but there must be a way to enable these options, like a certificate or sth else.. adobe? Charlie Skinner wrote: Could anyone shed any light on what exactly the security issues are with Full Screen Mode? I was really excited about this functionality when I first read about it. But on further exploration I discover that: Users cannot enter text in text input fields while in full-screen mode. All keyboard input and key-related ActionScript is disabled while in full-screen mode, with the exception of the keyboard shortcuts that take the viewer out of full-screen mode. I'm working on a large CMS in Flex and not being able to use the keyboard or text input boxes makes the application pretty pointless.
