61

I have been asking myself for a while what's the purpose of that popup showing up in pretty much all the modern browsers upon entering the full-screen mode of a video or website.

It appears to be a security measure against some sort of potential threats, but what is it about exactly? Which attack scenarios could be carried out without that?

Nicola Miotto
  • 682
  • 6
  • 10
  • 4
    Related: [CTRL+ALT+DEL Login - Rationale behind it?](http://security.stackexchange.com/questions/34972/ctrlaltdel-login-rationale-behind-it) – CodesInChaos Aug 22 '14 at 09:07

1 Answers1

73

The question is asked mostly to protect you from phishing attacks. The website may fake an Operating system, and ask you to enter sensitive information like passwords. To quote the spec:

User agents should ensure, e.g. by means of an overlay, that the end user is aware something is displayed fullscreen. User agents should provide a means of exiting fullscreen that always works and advertise this to the user. This is to prevent a site from spoofing the end user by recreating the user agent or even operating system environment when fullscreen.

There is also a very good discussion of this issue from Feross Aboukhadijeh, who also describes the security risks of allowing keyboard input.

user10008
  • 4,355
  • 21
  • 33
  • I don't think that that is, strictly speaking, phishing. Perhaps "social engineering" might be a better phrase? – KnightOfNi Aug 23 '14 at 22:13
  • 2
    @KnightOfNi phishing is a form of Social engineering. For me its phishing: a web site that masquerades as a specific entity to get access to sensitive information. – user10008 Aug 24 '14 at 00:52
  • 1
    I never said phishing wasn't social engineering, but that doesn't make all social engineering phishing... – KnightOfNi Aug 24 '14 at 02:07
  • @user10008 the explanation is clear, thanks! Although I still don't understand what "allow" means. By specification, it should be enough to show a clear overlay telling that the fullscreen has been triggered. But what's the semantic of "Allow"? There is no restriction in place, at least on Chrome. User input is permitted even before the "allowance" (e.g.: on Facebook you can tag photos while the popup is still there). Bad browser implementation, bad UX or am I missing something? – Nicola Miotto Aug 24 '14 at 08:59
  • @KnightOfNi therefore my answer has a second sentence. The only difference between "normal" phishing is that not a website gets faked, but the operating system. [Zulfikar Ramzan](http://books.google.com/books?id=I-9P1EkTkigC&pg=PA433&redir_esc=y#v=onepage&q&f=false) defines phishing through: `Phishing attacks [...] typically stem from a malicious email, that victims recieve effectively convincing them to visit a fradulent website at which they are tricked into divulging sensitive information [...].` – user10008 Aug 24 '14 at 15:28
  • @NicolaMiotto Its the usual usability - Security tradeoff, and its also important for secure products, that are in a competitive environment, to be usable. – user10008 Aug 24 '14 at 16:27
  • the point is obviously moot. My opinion is that the variance from "normal" phishing is sufficient that "social engineering" makes the answer MORE correct (for instance, dictionary.com limits it to websites: http://dictionary.reference.com/browse/phish?s=t). I believe that it is on a slight technicality that this is considered phishing. Yours, because you've read Mr. Ramzan's book, is obviously that this is well within the definition of phishing and a reversion to a more general term is LESS correct. Thanks to your explanation, I actually learned a new definition of the word, so thank you! (+1) – KnightOfNi Aug 24 '14 at 18:51