2009/12/16 Jonas Sicking <jo...@sicking.cc>: > 2009/12/16 Ian Fette (イアンフェッティ) <ife...@google.com>: >> I think what I've heard from application developers over and over again is >> that, while the UA may provide some way to go into full screen from in the >> browser chrome, it is much more discoverable when that capability exists >> from within the content area (e.g. people are used to clicking on the full >> screen button in YouTube, and when you take that away users can no longer >> figure out how to go full screen). >> Obviously there are security considerations re: UI spoofing, but I'm >> beginning to wonder how much we should beat ourselves over this. If there >> are simple things that we can do to improve upon the model Flash uses (e.g. >> don't have a translucent overlay but instead use an opaque overlay, or use >> an overlay that doesn't go away until the user dismisses it, etc) without >> totally killing current use cases and discoverability, then let's consider >> that. Overall though, it feels like we are burying our head in the sand a >> bit by saying "Well, as long as HTML doesn't provide a way to go full >> screen, the users are safe and it's not *our* fault if anything bad >> happens," when the reality is that Flash is installed on 98-99% of all >> machines out there and anyone who is really trying to phish people using >> this method could easily use flash instead of whatever we provide. (And yes >> I'm aware people can turn off flash, but those users sophisticated enough to >> use noflash can probably figure out if they are in full-screen mode or not.) >> -Ian > > In addition to UI spoofing there is also the "annoying websites" > factor. There is today API for pages to resize the browser window, > which I know that some pages abuse to resize the browser window to be > as big as possible. This API is one of very few that Firefox has > specific API to turn off, because its one of the APIs that annoy users > the most. > > As for flash going full screen. I heard something regarding that while > in full screen mode flash disables certain capabilities, in order to > reduce the risk of spoofing. Such as the ability to receive keyboard > events. Haven't investigated this at all though.
I looked into this when implementing fullscreen for O3D. Yes, they disable keyboard input entirely. That's acceptable for some applications, but quite limited for games, accessibility, etc. What we ended up doing was allowing the developer to designate a rectangular region of the window to be a clickable region that would trigger the fullscreen transition. When the user clicked it, we'd go fullscreen, then put up a banner for a few seconds that told them how to get out of it [hit Esc]. The Esc key was always the way out, intentionally matching Flash. The app developer was responsible for informing the user where to click, so that we didn't force a UI on them. Eric