Personally, I'd love to see the Privacy and Security boxes in chromestatus turn to green before approving this, as this seems like a potentially risky feature. Bonus point for pointers to public notes from that review :)
On Wednesday, October 4, 2023 at 6:25:58 AM UTC+2 ajayra...@google.com wrote: > Hi API Owners, > > Please let us know if you have any other questions or comments. The Origin > Trial is planned for M119 shipping to Stable on Tue, Oct 31, 2023. > > Thanks in advance. > > -Ajay > > On Thursday, September 28, 2023 at 3:30:56 PM UTC-7 btr...@chromium.org > wrote: > >> Avi: That's right, window-management permission must be granted for this >> feature to work (and appropriate permission policies). If not, the behavior >> falls back to opening the popup normally. >> >> Eric: We share your concerns. Besides the permission requirement, >> existing user security mitigations prohibit popups (fullscreen or >> otherwise) showing over existing HTML Fullscreen windows. Chromium-based >> browsers exit HTML Fullscreen when a popup window from the opener chain is >> opened or moved onto the same display. Attackers gain little advantage >> using this HTML Fullscreen API entrypoint over the classic >> Element.requestFullscreen(). >> >> >> Regards, >> Brad >> >> On Thu, Sep 28, 2023 at 1:14 PM Avi Drissman <a...@google.com> wrote: >> > As a clarification, would this be behind and gated by the Window >>> Management permission? The URLs of the spec imply that but I wanted to be >>> sure. >>> >>> Avi >>> >>> On Tue, Sep 26, 2023 at 4:16 PM Brad Triebwasser <btr...@chromium.org> >>> wrote: >>> >> Contact emails >>>> >>>> btr...@chromium.org, m...@chromium.org >>>> >>>> Explainer >>>> >>>> >>>> https://github.com/w3c/window-management/blob/main/EXPLAINER_fullscreen_popups.md >>>> >>>> Specification >>>> >>>> >>>> https://github.com/w3c/window-management/blob/main/EXPLAINER_fullscreen_popups.md#spec-changes >>>> >>>> Design docs >>>> >>>> >>>> https://github.com/w3c/window-management/blob/main/security_and_privacy_fullscreen_popups.md >>>> >>>> Summary >>>> >>>> Adds the ability to open a popup directly to fullscreen. >>>> >>>> Adds a `fullscreen` option to the `windowFeatures` parameter to the >>>> `window.open()` JavaScript API, which allows the caller to open a popup >>>> directly to full-screen on the display that would contain the popup (based >>>> on `screenX`/`screenY`). This eliminates the need for the developer to >>>> manually transition a popup into fullscreen, which could require a >>>> separate >>>> user activation signal. >>>> >>>> Blink component >>>> >>>> Blink>Fullscreen >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EFullscreen>, >>>> >>>> Blink>WindowDialog >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWindowDialog>, >>>> >>>> Blink>Screen>MultiScreen >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3EScreen%3EMultiScreen&can=2> >>>> >>>> TAG review >>>> >>>> https://github.com/w3ctag/design-reviews/issues/840 >>>> >>>> TAG review status >>>> >>>> Pending >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> Gecko: No signal ( >>>> https://github.com/mozilla/standards-positions/issues/714) >>>> >>>> WebKit: No signal ( >>>> https://github.com/WebKit/standards-positions/issues/101) >>>> >>>> Web developers: Positive >>>> https://github.com/w3c/window-placement/issues/7 >>>> https://github.com/w3c/window-placement/issues/98 >>>> https://github.com/w3c/window-placement/issues/92 >>>> >>>> Other signals: >>>> >>>> WebView application risks >>>> >>>> This feature is not supported on WebView, attempted usage will fall >>>> back to existing behavior. >>>> >>>> Goals for experimentation >>>> >>>> Gather feedback from early adopters on the API shape, ease of >>>> integration, edge cases that may require attention. Iterate on potential >>>> UX >>>> improvements related to this alternative fullscreen entrypoint. >>>> >>>> Ongoing technical constraints >>>> >>>> None >>>> >>>> Debuggability >>>> >>>> This feature utilizes the existing `windowFeatures` string parameter in >>>> `window.open()` and does not modify any structured (i.e. WebIDL) API >>>> surface. This feature will utilize existing fullscreen APIs which >>>> developers can use for debugging (`document.fullscreenElement`, >>>> `fullscreenchange`, and `fullscreenerror`, etc.), in the absence of an >>>> `Element.requestFullscreen()` promise. >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>> >>>> No. This feature initially only applies to desktop platforms. Support >>>> for mobile platforms may be considered in the future. >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? >>>> >>>> Mostly. Automated web platform tests are limited to single display >>>> environments, so manual execution is required to test fullscreen popups >>>> <https://wpt.fyi/results/window-management/multi-screen-window-open-fullscreen.tentative.https.html?label=master&label=experimental&aligned> >>>> >>>> across displays. (crbug.com/1252062) >>>> >>>> Flag name on chrome://flags >>>> >>>> chrome://flags/#fullscreen-popup-windows >>>> >>>> Finch feature name >>>> >>>> FullscreenPopupWindows >>>> >>>> Requires code in //chrome? >>>> >>>> False >>>> >>>> Tracking bug >>>> >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1142516 >>>> >>>> Launch bug >>>> >>>> https://launch.corp.google.com/launch/4263088 >>>> >>>> Estimated milestones >>>> >>>> OriginTrial desktop last >>>> >>>> 123 >>>> >>>> OriginTrial desktop first >>>> >>>> 119 >>>> >>>> DevTrial on desktop >>>> >>>> 113 >>>> >>>> Link to entry on the Chrome Platform Status >>>> >>>> https://chromestatus.com/feature/6002307972464640 >>>> >>>> Links to previous Intent discussions >>>> >>>> Intent to prototype: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/t8lL5RvfLJY >>>> >>>> Ready for Trial: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/EnDQsWx8cGQ >>>> >>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> >>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>> >>> >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALEeEUCSym%2BRaquhSMyAjwEF09dWS3zLJk97kj8XaoCscL61Fg%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALEeEUCSym%2BRaquhSMyAjwEF09dWS3zLJk97kj8XaoCscL61Fg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/165d3c77-5b64-49bf-a3f6-04d594577504n%40chromium.org.
