There’s a recent post on a phishing attack using the full screen api [1][2}[3].
Running the example attack, Firefox and Chrome both put up a popup at the top saying the site has gone full screen and asking to approve or deny. But for both of them the screen is already full screen and active (Firefox greys the content but doesn’t disable it). So if the user doesn’t see the popup or ignores it, they can think they’re interacting with another site. In the example, it is a bank. Why not require in the spec that it doesn’t go full screen until after the user approves? That would at least force the user to pay attention to the popup. A note in the warning to users that full screen apps can mimic other sites may be useful. The draft now says “User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen.”. That “should” should be “MUST” and it should say no switch can happen to full screen until after the user has approved. The draft also says “This specification was published by the WHATCG<http://www.w3.org/community/whatwg/>. It is not a W3C Standard nor is it on the W3C Standards Track” which is a bit confusing for a draft I got off the WebApps WG page, is a deliverable in the WebApps charter and which has been published as a FPWD by the WG. [1] http://feross.org/html5-fullscreen-api-attack/ [2] http://threatpost.com/en_us/blogs/proof-concept-exploits-html5-fullscreen-api-social-engineering-100912 [3] http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html
