On 13/10/12 07:20, Carr, Wayne wrote:
There’s a recent post on a phishing attack using the full screen api [1][2}[3].
It's worth noting that this attack has been possible in Flash for years, and the sky hasn't fallen.
Running the example attack, Firefox and Chrome both put up a popup at the top saying the site has gone full screen and asking to approve or deny. But for both of them the screen is already full screen and active (Firefox greys the content but doesn’t disable it). So if the user doesn’t see the popup or ignores it, they can think they’re interacting with another site. In the example, it is a bank. Why not require in the spec that it doesn’t go full screen until after the user approves?
This is basically for scripts/authors' benefit. If permission must be requested before entering fullscreen there's no way for script to distinguish between the case of the user being about to approve/deny the permisison request, or the user having ignored the permission request. So it's harder for script to know whether/when it should take its fallback path.
However I believe the current specification could be interpreted to allow a permission prompt before entering fullscreen; the specification for requestFullscreen() says it runs asynchronously, which gives scope for a permission request before or approval request after entering fullscreen.
That would at least force the user to pay attention to the popup.
If you're going to argue that people won't pay attention to an approval prompt shown after entering fullscreen, then the same argument also applies to showing the approval UI before entering fullscreen.
Regards, Chris Pearce.
