At 5:47 +0000 30/10/07, Ian Hickson wrote:
> > Also, if the setting exists, it's far easier to trick users into
> setting it than if it doesn't.
Out of curiousity, is an automatic switch to full screen without the
user's consent considered an annoyance/usability problem or a
security/fishing attack/vulnerability problem or both?
FWIW, it's only the former IMO.
The former, yes.
I think if you can collect keystrokes then phishing is also on the cards, alas.
> If someone does ask why scripts can't switch to full screen, what would
the reason(s) be?
1. There doesn't seem to be much demand for it.
2. It's not clear what would be the best way for UAs to provide the
functionality while preventing sites from taking advantage of the
feature and annoying users.
Both, and also that it's considered ok for the user to have to tell the UA
that he wants to go fullfreen (rather than the script having to tell the
UA that the user wants to go fullscreen).
I think there's both demand and precedent; and if it's not in the
spec., as I say, it should be explicitly excluded with its reasons,
so browser makers don't simply all add it as an extension. That way,
we'd get all the problems again, plus an interoperability problem as
well.
--
David Singer
Apple/QuickTime
