On 2015-03-12 11:24 AM, Boris Zbarsky wrote:
On 3/12/15 10:26 AM, Ehsan Akhgari wrote:
Well, top level navigation cancels the fullscreen mode, right?
The attack scenario I'm thinking is:
1) User loads http://a.com
2) Attacker immediately sets location to http://b.com
3) Attacker's hacked-up b.com goes fullscreen, pretending to still be
a.com to the user by spoofing browser chrome, while also turning on the
camera because the user granted permission to b.com to do that at some
point.
Do you mean that after (2), the user somehow interacts with the site but
doesn't realize that the site has gone full screen? (Note that the
fullscreen API cannot be used outside of user generated event handlers.)
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
