Skip to main content

Enhancing Web Security with the Permissions-Policy Fullscreen Directive

The Permissions-Policy directive (formerly known as Feature-Policy) is a powerful tool that web developers can use to control which browser features their web pages are allowed to access.

One such directive is "fullscreen", which governs the ability of a website to request full-screen access for its content. Full-screen functionality is commonly used in video players, gaming platforms, and presentation tools, but it also carries security risks if misused.

History and Origin of Permissions-Policy

The Permissions-Policy header was introduced by Google in 2018 under the name Feature-Policy. The main aim of this header was to provide developers with fine-grained control over powerful browser features to prevent misuse or abuse. The ability to request full-screen access has been available in browsers for some time, but as websites have become more complex and capable, the potential for abuse has grown. The fullscreen directive was added to Permissions-Policy to help mitigate these risks and ensure that only trusted and necessary content can request full-screen access.

Full-screen mode is often used in a legitimate context, such as streaming video, online gaming, or displaying web applications that benefit from larger screen real estate. However, it can also be misused by malicious actors in phishing attacks or to create deceptive user experiences that mask the true nature of a webpage.

What Does the Fullscreen Directive Do?

The "fullscreen" directive in the Permissions-Policy header controls whether a website can request full-screen access for its content. Full-screen mode can be triggered via the Fullscreen API, which allows an element (such as a video player or a webpage) to expand and take over the entire screen.

For example:

  • Setting fullscreen=() disallows any content on the page from requesting full-screen access.
  • Setting fullscreen=* allows the page or its embedded content to request full-screen functionality.

This control is crucial because, while full-screen mode is often beneficial for user experience in certain contexts, it can also be exploited in ways that compromise security or user trust.

Why Was It Added?

The fullscreen directive was introduced to address several important concerns:

  1. Preventing Phishing Attacks: Full-screen mode can be used to trick users into believing they are interacting with a legitimate website or interface, when in fact they are viewing a spoofed page designed to steal sensitive information. By taking over the entire screen, an attacker could hide browser elements like the address bar or security indicators, making it difficult for users to detect that they are on a malicious site. The fullscreen directive helps mitigate this by allowing developers to control which content is allowed to access full-screen mode.

  2. Improving User Safety: Unwanted full-screen prompts can create poor user experiences, as users may become confused or disoriented when their screen is unexpectedly taken over by a webpage. This can lead to unintentional interactions or, in some cases, even prevent users from easily exiting full-screen mode. By controlling full-screen access, developers can ensure that only trusted elements of their website can trigger this behaviour.

  3. Compliance with Security Best Practices: The fullscreen directive allows developers to follow the principle of least privilege. This principle suggests that websites should only request the permissions they need and no more. In this case, full-screen access should only be allowed when absolutely necessary, reducing the risk of abuse or accidental misuse.

Use Cases It Guards Against

The fullscreen directive helps protect against several problematic scenarios:

  1. Phishing and Deceptive Interfaces: Attackers could use full-screen mode to create a convincing replica of a login screen or payment portal, tricking users into entering their credentials or financial information. By hiding browser elements such as the address bar and security certificates, attackers can make it more difficult for users to recognise that they are on a malicious site. Restricting full-screen access prevents this attack vector.

  2. Malicious Pop-Ups and Ads: Some websites may trigger full-screen pop-ups or advertisements that can be difficult for users to dismiss, creating a frustrating or even harmful experience. In the worst cases, this behaviour can be used to display deceptive content or attempt to scam users. By managing full-screen permissions, developers can prevent untrusted or third-party content from abusing this functionality.

  3. Denial of User Control: Unintended or forced full-screen requests can interfere with the user’s ability to control their browsing experience. For example, a website might enter full-screen mode without a clear or accessible way for users to exit, causing confusion and frustration. The fullscreen directive ensures that full-screen access is only granted when necessary and for trusted content, improving the overall user experience.

  4. Interface Spoofing in Corporate or Sensitive Environments: In business environments, sensitive applications might be run in browsers. If full-screen mode is misused, attackers could spoof trusted internal websites or dashboards, leading to data theft or internal breaches. By controlling which content can request full-screen access, businesses can reduce the risk of interface spoofing.

Why Should You Set Permissions-Policy Fullscreen Correctly?

There are several compelling reasons why website owners should configure the fullscreen directive properly:

  1. Protecting Against Phishing and Security Threats: Phishing remains one of the most common and effective methods for attackers to steal credentials or sensitive data. The ability to take over the entire screen creates opportunities for malicious actors to obscure browser security indicators or deceive users into thinking they are interacting with a trusted site. Configuring the fullscreen directive to restrict access helps mitigate this risk, protecting both users and the site’s reputation.

  2. Ensuring a Positive User Experience: Poorly managed full-screen behaviour can confuse or frustrate users, leading to higher bounce rates and a negative perception of the website. By restricting full-screen access to trusted elements, developers can ensure that users have a smoother, more intuitive experience without unwanted interruptions or disorientation.

  3. Maintaining Trust and Security: Websites that take security seriously are more likely to retain user trust and build a positive reputation. By configuring the fullscreen directive, website owners can demonstrate that they are taking proactive steps to protect users from security risks, including phishing and deceptive interfaces.

  4. Preventing Abuse by Third-Party Content: Many websites integrate third-party content such as advertisements, media players, or widgets. Without control over full-screen access, these third-party elements could abuse the feature to display disruptive or harmful content. By setting the fullscreen directive correctly, website owners can prevent untrusted or unnecessary content from requesting full-screen access.

  5. Compliance with Security Best Practices: As security threats evolve, following best practices is crucial for maintaining a strong security posture. By enforcing the principle of least privilege and restricting full-screen access to only essential parts of the website, developers can reduce the risk of vulnerabilities and stay ahead of emerging threats.

Conclusion: Securing Full-Screen Access with the Fullscreen Directive

The Permissions-Policy fullscreen directive plays a vital role in ensuring that full-screen functionality is only available to trusted content on a website. While full-screen mode can enhance the user experience in legitimate use cases like video streaming and gaming, it can also be misused by attackers for phishing and deceptive purposes.

By configuring the fullscreen directive correctly, website owners can protect their users from these risks, ensuring a safer, more secure browsing experience. Whether safeguarding against phishing attacks, improving user experience, or maintaining compliance with security best practices, setting the fullscreen directive is an essential step in modern web security.

Related to this article are the following:

At SoftForge, we are passionate about delivering top-notch web hosting and development services that empower businesses to thrive online. Since our inception, we have been committed to innovation, quality, and customer satisfaction. Our journey is defined by our continuous pursuit of excellence and our desire to stay at the forefront of the digital industry.

From the initial concept to the final execution, we work closely with you to ensure that every aspect of your online presence is tailored to reflect your brand's identity, resonate with your target market, and support your long-term objectives. Together, we can build a digital platform that not only meets but exceeds expectations, turning your vision into a successful reality that drives growth and innovation.

Feel free to use the links below to reach out, discuss your needs, or to schedule a Google meeting with Stacey or Phil.

Contact SoftForge
Book a meeting with Phil
Book a meeting with Stacey