Currently key input in DOM full-screen mode is restricted to keys in the following ranges:
* DOM_VK_CANCEL to DOM_VK_CAPS_LOCK, inclusive
* DOM_VK_SPACE to DOM_VK_DELETE, inclusive
* DOM_VK_SEMICOLON to DOM_VK_EQUALS, inclusive
* DOM_VK_MULTIPLY to DOM_VK_META, inclusive
The security team wanted to be even more restrictive, and limit key input to an explicit whitelist of the following keys:
* tab, space, arrow keys, page-up, page-down, home, end,
* shift, ctrl, alt/option, command and combinations thereof, with the previous set of keys (except command/ctrl-tab).
List of keycodes for reference
I would prefer the more restricted keyset unless there is a reason for allowing more keys than necessary. I'm assuming the goal is to provide the minimal number of keys that would allow the user to navigate/manipulate full screen controls.
Is the restriction of cmd/ctrl-tab to prevent the user from changing to another application? We should consider bug 685402 in the decision, though maybe we will just require the user to use the mouse for selecting a window in another monitor.
So the white-list so far proposed is:
Do we want to include DOM_VK_RETURN and DOM_VK_ENTER?
Created attachment 570948 [details] [diff] [review]
Limit key input further. The only key codes which don't cause a "Press ESC to exit full-screen mode" warning to pop up when pressed are those listed in comment 2.
This looks to be appropriately documented there:
I don't think it needs more documentation. If you disagree, re-flip the keyword, please.