Tuesday 16 August 2011
Some Web apps would benefit from displaying full-screen, without any non-app content visible. Obvious examples are watching video and playing immersive games. A while ago I proposed a Web API to enable this, and Chris Pearce is making good progress implementing a version of it in Firefox. A slightly different version of it is in Safari now too.
Our biggest issue right now is how to make it secure. The perceived threat is a malicious page going full-screen and then displaying something that looks like the content of another site, say the user's bank, complete with false URL bar --- or the content of a native application or the operating system, for that matter.
There are a few things we can do to make it harder for a malicious application to go full-screen. We can ensure that full-screen requests are only honoured from scripts triggered by user input (mouse clicks and keystrokes), much like requests to open popup windows. We can make sure that when going full-screen, we display a clear message describing how to leave full-screen --- like Flash does, but hopefully better. Then if a malicious page goes full-screen when the user didn't want to, the user will probably exit full-screen immediately.
A harder case is when the user intentionally goes full-screen to watch a video or play a game, but the application later tries to abuse full-screen status by spoofing another page or application. Most spoofing attacks require user input that the browser can detect, so for full-screen video and other applications that don't require much input, we could show a real URL bar while the user is typing input, so the user knows the true domain. However, many applications (games) want to be full-screen while receiving the full range of user input. It's unclear how we could distinguish such applications from a spoofing attack. The risks here already exist to some extent, if an application can persuade users to manually go full-screen, for example by pressing F11 in Firefox.
This feature seems particularly challenging to design because browser security often depends on the assumption that the user can visually identify the domain of the current page at all times, and full-screen violates that by definition. (However, mobile browsers seem to violate that assumption by hiding browser UI most of the time; I wonder how browser security people feel about that.)
This problem would be a good one for security researchers to study and solve! I think the world would be a better place if security research focused more on constructive solutions to problems like this one :-). Anyway, feedback and ideas welcome from anyone, security researchers or not.