Opened 7 weeks ago

Last modified 7 weeks ago

#31951 new defect

Disable "Full-screen browsing" by default on Android

Reported by: sysrqb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Fennec gives the option of enabling/disabling full-screen browsing where the chrome toolbar disappears when the user scrolls down a page. This is enabled by default. This has the nice benefit of giving users more screen space for the webpage content, however this also gives websites an opportunity where they can spoof the security-critical browser chrome.

Child Tickets

Change History (1)

comment:1 Changed 7 weeks ago by Thorin

I'm not sure if you already do this for Android, but I would be more concerned with the FS API (full-screen-api.enabled). Even though it requires a user-gesture (it wouldn't be hard to cover the entire window in an element), I see this as a far more feasible attack to mimic chrome than trying to detect the toolbar display and replacing/removing-the-spoof as required. The lag would give it away - you'd see two toolbars (especially as you scroll really slowly: try it). Unless I'm missing something?

Note: See TracTickets for help on using tickets.