Mozilla Developing Secure Full-Screen Firefox Feature

By Douglas Perry
published

Mozilla's Robert O'Callahan said that the company is currently working on a full-screen implementation for web apps in Firefox.

However, O'Callahan said that Mozilla is concerned about security issues, for example about the fact that a user will not see the URL of a service in full-screen mode.

The engineer suggested that Mozilla could go different routes to make full-screen scenarios more secure, for example by enabling full-screen modes only through a manual user request and providing a pop-up window.

"We can make sure that when going full-screen, we display a clear message describing how to leave full-screen - like Flash does, but hopefully better, O'Callahan wrote. "Then if a malicious page goes full-screen when the user didn't want to, the user will probably exit full-screen immediately."

More problematic are spoofing attacks that occur when a full-screen window is already opened. However, O'Callahan says that "most spoofing attacks require user input that the browser can detect" in which cases the URL bar could be shown. But even there appear to be issues, as especially games are designed to be in full-screen mode all the time "while receiving the full range of user input."

Mozilla does not have a solution for this problem and is asking security researchers for feedback.

Douglas Perry
16 Comments Comment from the forums
  • HansVonOhain
    And this feature will be on firefox 9.
    Reply
  • HansVonOhainAnd this feature will be on firefox 9.
    So by Nov then, sweet!
    Reply
  • amigafan
    I see Tom's just like Mozilla started with scheme of lots of minor and actually unimportant stuff released extremely often.
    Reply
  • KonstantinDK
    Just make sure you can close it with ESC. And make sure every one knows that (display a tip when move mouse to the side of screen)
    Reply
  • And now we move the URL box 1 pixel to the left ... OMG FIREFOX 7
    Reply
  • aaron88_7
    Call me old fashioned but I like toolbars, menus, and browser skins. I have a 23" monitor, I don't need a full screen browser. After all, it's just a f-ing web browser. Most websites still aren't even optimized for widescreen so I don't know what they think people are missing out on.

    Next thing they'll be making their browsers compatible with triple monitor displays....
    Reply
  • DSpider
    Man, hackers will have a blast if they can get a fullscreen HTML5 portal to look like Windows XP (7 hasn't caught on yet for the majority of middle-aged men and women).

    Haha. I remember I sent a screenshot to one of my mom's co-workers a few years back and she didn't know how to close it. Hahahahahaha. She said she kept clicking the red X button from the picture for a minute or so. Omg... And I even had the silver theme on... I hope I don't EVER get like this when I'm old. Damn.
    Reply
  • JasonAkkerman
    Full screen??? hmmm F11 anyone?
    Reply
  • jacobdrj
    What makes this secure?

    Full screen is awesome on my netbook, FYI...
    Reply
  • brandonjclark
    Hmm, I've got seven tabs open right now and am using around 192mb. Sure, that's a lot for certain. But still, don't double the figure dude....

    Also, I see this as a bad thing. It sounds like it could be hijacked and then the user would think they were connecting to a site but it could then be spoofed.
    Reply