On Feb 1, 2010, at 1:14 AM, Henri Sivonen wrote:

> On Jan 31, 2010, at 05:08, Simon Fraser wrote:
> 
>> * disallow enterFullscreen() from a frame or iframe
> 
> This might be a problem if video sites transition their embedding boilerplate 
> to an iframe in order to be able to be able to serve HTML5, Flash, ActiveX, 
> etc. depending on UA without requiring the embedders to copy and paste 
> anything fancy.

Perhaps we'd enforce a same-origin rule where the iframe contents have to be 
from the same domain as the main page, then?
> 
>> * show an hard-to-spoof overlay with some text that tells the user that they 
>> can use the Escape key to exit fullscreen, and prevent the page from 
>> capturing this keypress.
> 
> IIRC, it has been shown that at least as implemented in Flash Player, it is 
> possible to draw enough distractions to make the users unable to read this 
> message.

That's why I said "hard to spoof". The Flash overlay makes the mistake of not 
being contrasty enough. An improvement would be to dim out the rest of the 
content while showing this overlay.

> Also, when the site is legitimate, it's quite annoying to have the overlay 
> there.
> 
> Personally, I'd rather have to click through a once per-Origin authorization 
> bar (like geolocation in Firefox) than watch the "press esc" overlay every 
> time.

That's a possibility, yes.

> 
>> * make the location field available to the user so that they can see the URL 
>> even when in fullscreen
> 
> This defeats the point of full screen. If I want a 16:9 video to go full 
> screen on a 16:9 display, I want all screen pixels to be used for the video.

I said "make available", not "should be visible at all times". I was thinking 
of a behavior where it shows up at the top of the screen if the user moves the 
mouse close to the top.

>> * drop out of fullscreen if navigating to another page
> 
> This would constrain slide shows do be unnecessarily Ajaxy and less linkable 
> with per-slide JavaScriptless URLs.

Maybe a same-origin test could be used here too? But personally I think it's OK 
to force a fullscreen "application" to rely on AJAX and twiddling 
location.hash, rather than loading new pages.

Simon

Reply via email to