Closed
Bug 127405
Opened 23 years ago
Closed 22 years ago
Scripts can put a window in fullscreen mode
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: jonasj, Assigned: security-bugs)
Details
Attachments
(1 file)
|
674 bytes,
patch
|
security-bugs
:
review+
jst
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
I learned from bug 116503 comment 6 that var win = window.open(); win.fullScreen = true; will open a new window and put it in fullscreen mode. That scripts are able to do that when the user hasn't explicitly allowed it to, I consider a bug.
|
||
Comment 1•23 years ago
|
||
i mentioned the same concern in my original suggestion of this feature in <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=127366">bug 127366</a>. maybe the default 'right' for a script should be to open fullscreen windows onClick/MouseDown/MouseUp, only, not onLoad etc.
|
|
||
Comment 2•23 years ago
|
||
... this bugzilla thingy is smart ... ;-)
|
||
Comment 3•23 years ago
|
||
I agree with Jonas on general principle. More importantly, Mitch has in the past expressed security concerns over scripts being able to resize the window such that the titlebar is offscreen, which is precisely what full screen mode does (bug 127444). Finally there is bug 126720 (no lock icon in fullscreen mode). I feel that until these major security issues are resolved fullscreen mode should be noAccess by default. Once they _are_ resolved, it may be OK sense to make it sameOrigin or allAccess.
|
||
Comment 4•23 years ago
|
||
IE allows scripts to open full-screen windows, and advertisers abuse it all the time in order to make their pop-ups harder to close. I've never seen a site use the IE feature with any intent other than to make it more difficult for the user to leave. (Mozilla at least keeps the minimize/restore/close buttons visible, so it's not as bad as IE in this regard.) What concerns me the most is that full-screen mode hides the Windows taskbar, allowing a web site to spoof the taskbar. Before window.fullScreen, the taskbar was one of the hardest areas of the screen to cover or spoof (bug 82130 comment 10), and that should be restored.
Why is it always about advertisiers? Scripting to full screen mode is good for many future real world applications using web browser technology. I do not really think this concerns any privacy issue just because one or two evil advertisiers uses it for their malicious purposes.
I understand that the content opened in the main window shouldnt be allow to script itself to fullscreen; however, opening child windows in full screen should be allowed. It would be possible to put a preferences option much like 'dont open child windows', so that user can select that option banning child windows going full screen. In that case child windows wanting to open full screen can be showed as maximized titled windows.
|
||
Comment 8•23 years ago
|
||
The plan in bug 68136 which was where the feature was implemented was for content to have noAccess level access to the property. All that needs to be done is to replace the letters "all" with "no" in "allAccess" in http://lxr.mozilla.org/mozilla/source/modules/libpref/src/init/all.js#283
|
Reporter | |
Comment 9•23 years ago
|
||
|
|
Reporter | |
Updated•23 years ago
|
|
|
||
Comment 10•23 years ago
|
||
bora123@yahoo.com, if a person is using this in an application, then they should let users know to turn the feature on for web content. In other bugs you comment about fullscreen being used for presentations. In those cases one can _certainly_ set up a security policy that will allow a particular site or set of sites (the ones involved in the presentation) to put the window in fullscreen mode. The thought about only allowing full-screen mode for child windows is a decent one....
|
|
Reporter | |
Comment 11•23 years ago
|
||
bzbarsky, could you review the patch, please?
|
|
||
Comment 12•23 years ago
|
||
The patch is fine, but hewitt, jst, and mstoltz should just make a call about what the right thing to do here is. _Then_ we can get to fixing this bug. All that said, has someone tested full screen mode on mac (run the js in question from the URL bar or something)? The current impl has been tested only on Windows, since there is only UI to start it on Windows. Hence on other platforms it may have issues...
|
||
Comment 13•23 years ago
|
||
Full Screen mode just plain doesn't work on Mac/Linux. It wouldn't be overly difficult to make it work, though. I am highly in favor of allowing scripts to put the window in full screen mode. In the interest of security, I think the best safeguard would be to present the user with a dialog saying that the web page wants to use full screen, with Yes/No and [] Remember next time.
|
|
||
Comment 14•23 years ago
|
||
Well... on linux right now it will hide all your chrome and super-maximize your window (it's actually bigger than maximized). So it's pretty darn close to working.... A "yes/no/remember next time" is fine as long as something like: while (!window.fullScreen) window.fullScreen = true; doesn't pop up dialogs in an infinite loop....
|
Assignee | |
Comment 15•23 years ago
|
||
Read my lips - no new dialogs. Dialogs are CYA security, not real security, and they detract from the user experience. Rather than include a potentially unsafe mode and warn the user about it, let's make a safer full-screen mode, say, one that still displays a titlebar and lock icon - on all platforms and window managers. If that's too hard, then let's prevent scripts from invoking full-screen mode, which seriously lowers the bar on spoofing attacks. In fact, I'd like to check in this patch, at least until we've resolved the issue.
|
|
Assignee | |
Updated•23 years ago
|
Attachment #71318 -
Flags: review+
|
|
Assignee | |
Comment 16•23 years ago
|
||
r=mstoltz
|
|
||
Comment 17•23 years ago
|
||
Another solution is to leave scripts being able to start full-screen mode on Windows (where the mode is presumably well-tested and such) and disable access in unix.js/macprefs.js....
|
|
||
Comment 18•23 years ago
|
||
Web pages can already get "Full screen mode but with a title bar and task bar":
javascript:window.open("","","no"). If a site needs 16 more pixels, it can ask
the user to press F11.
|
||
Comment 19•23 years ago
|
||
Mitch, I'm giving this to you since you seem to have ideas on this, if you don't want to do the legwork on this one hand it over to hewitt who implemented fullscreen mode in the first place.
Assignee: jst → mstoltz
|
|
Assignee | |
Comment 20•23 years ago
|
||
Me and my big mouth :) If by "legwork" you mean checking in Jonas's patch, sure. Can you sr?
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0
|
|
||
Comment 21•23 years ago
|
||
Comment on attachment 71318 [details] [diff] [review] you mean... like this? sr=jst
Attachment #71318 -
Flags: superreview+
|
||
Comment 22•22 years ago
|
||
Comment on attachment 71318 [details] [diff] [review] you mean... like this? a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #71318 -
Flags: approval+
|
|
Reporter | |
Comment 23•22 years ago
|
||
According to bonsai, this was checked in at 2002-03-08 14:04. Marking FIXED. http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=mozilla/modules/libpref/src/init&command=DIFF_FRAMESET&file=all.js&rev1=3.341&rev2=3.342&root=/cvsroot
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•