5

I'm getting this message in the console.

requestFullscreen() is deprecated on insecure origins, and support will be removed in the future.
You should consider switching your application to a secure origin, such as HTTPS. 
See https://goo.gl/rStTGz for more details.

I think that removing full screen functionality for regular http is not a good idea. So will videos, games, and all casual full screen web applications require https too?

I know that F11(Windows) or Cmd + F(Mac) will bring the app to the full screen anyway but now WebVR is coming, games in WebGL and other immersive experiences so don't you think that this will be a step back?

Pawel
  • 16,093
  • 5
  • 70
  • 73
  • While an important question this does not fit SO as its opinion based and pretty much "*has nothing to do with programming*". You may consider discussing this on the [webgl-dev-list](https://groups.google.com/d/forum/webgl-dev-list) – LJᛃ Jun 23 '15 at 14:37
  • 2
    actually it should be discussed on the one of the w3 lists or the blink list. [Here's one of the threads where it's being discussed](https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2LXKVWYkOus%5B1-25%5D) – gman Jun 25 '15 at 16:26

1 Answers1

3

Why is the fullscreen API restricted?

The fullscreen API allows malicious websites to mimic the webbrowser's and operating system's UI. While this may be visible for experienced users, novice computer users may not be able to distinguish the fake UI and the real one. This effect is even more pronounced on mobile operating systems, where the system UI is quite sparse and very predictable.

A potential attack could be to render a normal website/game upon going to fullscreen, but also mimic the browser chrome. When the user enters a new URL or opens a new tab, the content and the browser/OS UI is then under full control of the attacker.

For instance, the website may send you an email, and then fake your gmail web interface login, green padlock and all, to steal your email credentials. Advanced attacks could even go into an normal full screen (without any UI) and offer a fake "End fullscreen" button.

For these reasons, web browsers limit the fullscreen API with a per-origin configuration. Typically, upon going to fullscreen for the first time, the browser asks you if it is ok. If you confirm, the web browser allows the origin to enter full screen without a feedback next time.

An additional common restriction is that fullscreen can not be entered upon page load, but requires a user interaction.

Why is HTTPS required to maintain the restriction?

Assume there is a popular game site that uses the fullscreen API via HTTP. Then there is an obvious security hole: Every attacker on your route to the Internet can go into fullscreen by redirecting any unencrypted request to that website, and then rendering their own attacker code.

While it's rare (but certainly not impossible) for criminal attackers to run such an attack, there are multiple state-sponsored attackers who even try to fake TLS certificates.

Will videos, games, and all casual full screen web applications require HTPS too?

If you want your website to be accessible in networks with censorship and/or JavaScript injection attacks, you need to use HTTPS anyways.

Since that it doesn't cost anything to obtain a TLS certificate and the overhead of encryption is negligible and insecure websites will generate a browser warning in the near future, the answer is:

Yes, all websites require HTTPS.

Community
  • 1
  • 1
phihag
  • 278,196
  • 72
  • 453
  • 469
  • Thanks for detailed answer, I upgraded my game to https some time ago https://bad.city – Pawel Mar 15 '17 at 15:41
  • The current revision of your answer states: "it doesn't cost anything to obtain a TLS certificate", linking to the Let's Encrypt CA as evidence for your claim. But obtaining a certificate from Let's Encrypt or any other CA that follows the CA/Browser Forum Baseline Requirements requires a fully qualified domain name (FQDN). If one plans to (say) stream video from a home server across a private home LAN, how should one obtain a FQDN for said server without it costing anything? – Damian Yerrick Mar 22 '17 at 18:51
  • @DamianYerrick There are numerous free services that allow you to obtain a FQDN, such as [Hurricane Electric](https://dns.he.net/), [zonomi](https://zonomi.com/) and [noip](http://www.noip.com/free). – phihag Mar 22 '17 at 20:39
  • @phihag Zonomi is just DNS hosting, not registration; you still have to buy a domain to use it. The others use subdomains, and I thought the [Let's Encrypt rate limit](https://letsencrypt.org/docs/rate-limits/) permitted only twenty subdomain holders under the same registered domain to obtain a certificate per week. – Damian Yerrick Mar 24 '17 at 17:18