在不安全的来源上不推荐使用requestFullscreen(),并且将来会删除支持 [英] requestFullscreen() is deprecated on insecure origin, and support will be removed in the future
问题描述
我正在控制台中收到此消息。
requestFullscreen()在不安全的来源上已被弃用,我们将为您提供支持将来删除。
您应该考虑将应用程序切换到安全来源,例如HTTPS。
有关更多详细信息,请参见https://goo.gl/rStTGz。
我认为删除常规http的全屏功能不是一个好主意。
我知道F11(Windows)或Cmd + F(Mac)会带来此应用程序吗?
到全屏,但现在WebVR即将来临,WebGL中的游戏和其他身临其境的体验,所以您难道不认为这会退一步吗?
为什么全屏API受限制?
全屏API允许恶意网站模仿Web浏览器和操作系统的UI。尽管这对于有经验的用户可能是可见的,但是新手计算机用户可能无法区分假UI和真实UI。在移动操作系统上,这种效果甚至更加明显,因为移动操作系统的系统UI十分稀疏且非常可预测。
潜在的攻击可能是在出现以下情况时渲染正常的网站/游戏:进入全屏模式,还模仿了浏览器镶边。当用户输入新的URL或打开新的选项卡时,内容和浏览器/ OS UI便会受到攻击者的完全控制。
例如,网站可能会向您发送电子邮件,然后假冒您的gmail Web界面登录名,绿色挂锁等,以窃取您的电子邮件凭据。高级攻击甚至可能进入正常的全屏(没有任何用户界面),并提供假的结束全屏按钮。
由于这些原因,网络浏览器限制了全屏API具有每个来源的配置。通常,在第一次进入全屏模式时,浏览器会询问您是否正常。如果您确认,则网络浏览器将允许原点下次进入全屏显示而无需反馈。
另一个常见的限制是,在页面加载时无法输入全屏显示,但是需要用户交互。
为什么需要HTTPS来维持限制?
假设存在一个流行的通过HTTP使用全屏API的游戏网站。然后有一个明显的安全漏洞:通过将任何未加密的请求重定向到该网站,然后呈现其自己的攻击者代码,您进入Internet路径的每个攻击者都可以进入全屏显示。
虽然很罕见(但肯定不是不可能)用于犯罪攻击者进行这样的攻击,甚至有多个国家赞助的攻击者甚至尝试伪造TLS证书。
视频,游戏和所有休闲的全屏网络应用程序也需要HTPS吗?
如果您希望通过审查和/或 JavaScript注入攻击,您仍然需要使用HTTPS。
由于获得TLS证书无需花费任何费用并且加密的开销可以忽略不计和不安全的网站将在不久的将来生成浏览器警告,答案是:
是的,所有网站都需要HTTPS。
I'm getting this message in the console.
requestFullscreen() is deprecated on insecure origins, and support will be removed in the future.
You should consider switching your application to a secure origin, such as HTTPS.
See https://goo.gl/rStTGz for more details.
I think that removing full screen functionality for regular http is not a good idea. So will videos, games, and all casual full screen web applications require https too?
I know that F11(Windows) or Cmd + F(Mac) will bring the app to the full screen anyway but now WebVR is coming, games in WebGL and other immersive experiences so don't you think that this will be a step back?
Why is the fullscreen API restricted?
The fullscreen API allows malicious websites to mimic the webbrowser's and operating system's UI. While this may be visible for experienced users, novice computer users may not be able to distinguish the fake UI and the real one. This effect is even more pronounced on mobile operating systems, where the system UI is quite sparse and very predictable.
A potential attack could be to render a normal website/game upon going to fullscreen, but also mimic the browser chrome. When the user enters a new URL or opens a new tab, the content and the browser/OS UI is then under full control of the attacker.
For instance, the website may send you an email, and then fake your gmail web interface login, green padlock and all, to steal your email credentials. Advanced attacks could even go into an normal full screen (without any UI) and offer a fake "End fullscreen" button.
For these reasons, web browsers limit the fullscreen API with a per-origin configuration. Typically, upon going to fullscreen for the first time, the browser asks you if it is ok. If you confirm, the web browser allows the origin to enter full screen without a feedback next time.
An additional common restriction is that fullscreen can not be entered upon page load, but requires a user interaction.
Why is HTTPS required to maintain the restriction?
Assume there is a popular game site that uses the fullscreen API via HTTP. Then there is an obvious security hole: Every attacker on your route to the Internet can go into fullscreen by redirecting any unencrypted request to that website, and then rendering their own attacker code.
While it's rare (but certainly not impossible) for criminal attackers to run such an attack, there are multiple state-sponsored attackers who even try to fake TLS certificates.
Will videos, games, and all casual full screen web applications require HTPS too?
If you want your website to be accessible in networks with censorship and/or JavaScript injection attacks, you need to use HTTPS anyways.
Since that it doesn't cost anything to obtain a TLS certificate and the overhead of encryption is negligible and insecure websites will generate a browser warning in the near future, the answer is:
Yes, all websites require HTTPS.
这篇关于在不安全的来源上不推荐使用requestFullscreen(),并且将来会删除支持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
