Currently key input in DOM full-screen mode is restricted to keys in the following ranges: * DOM_VK_CANCEL to DOM_VK_CAPS_LOCK, inclusive * DOM_VK_SPACE to DOM_VK_DELETE, inclusive * DOM_VK_SEMICOLON to DOM_VK_EQUALS, inclusive * DOM_VK_MULTIPLY to DOM_VK_META, inclusive The security team wanted to be even more restrictive, and limit key input to an explicit whitelist of the following keys: * tab, space, arrow keys, page-up, page-down, home, end, * shift, ctrl, alt/option, command and combinations thereof, with the previous set of keys (except command/ctrl-tab).
List of keycodes for reference http://mxr.mozilla.org/mozilla-central/source/dom/interfaces/events/nsIDOMKeyEvent.idl#45 I would prefer the more restricted keyset unless there is a reason for allowing more keys than necessary. I'm assuming the goal is to provide the minimal number of keys that would allow the user to navigate/manipulate full screen controls. Is the restriction of cmd/ctrl-tab to prevent the user from changing to another application? We should consider bug 685402 in the decision, though maybe we will just require the user to use the mouse for selecting a window in another monitor.
So the white-list so far proposed is: DOM_VK_TAB DOM_VK_SPACE DOM_VK_PAGE_UP DOM_VK_PAGE_DOWN DOM_VK_END DOM_VK_HOME DOM_VK_LEFT DOM_VK_UP DOM_VK_RIGHT DOM_VK_DOWN DOM_VK_SHIFT DOM_VK_CONTROL DOM_VK_ALT DOM_VK_META Do we want to include DOM_VK_RETURN and DOM_VK_ENTER?
Created attachment 570948 [details] [diff] [review] Patch v1 Limit key input further. The only key codes which don't cause a "Press ESC to exit full-screen mode" warning to pop up when pressed are those listed in comment 2.
This looks to be appropriately documented there: https://developer.mozilla.org/en/DOM/Using_full-screen_mode#Things_your_users_want_to_know I don't think it needs more documentation. If you disagree, re-flip the keyword, please.