Fullscreen Permission - Pink Sock Test

This test page demonstrates a potential security vulnerability where an iframe is allowed to enter fullscreen mode using the allowfullscreen attribute, which could be used for phishing attacks.

Security Issue: IFrame with allowfullscreen attribute that enables the content to enter fullscreen mode, which could be used for convincing phishing attacks by mimicking browser or OS UI.

Test Case

Vulnerable code:

<iframe 
  src="../assets/iframe-content.html" 
  allowfullscreen
  width="100%" 
  height="300"
></iframe>

Explanation

The allowfullscreen attribute enables embedded content to use the Fullscreen API to take over the entire screen. While this is necessary for legitimate uses like video players, it presents security risks, especially for untrusted content:

Fullscreen content can mimic browser UI elements like address bars, security indicators, or prompts
Users may not realize they're interacting with embedded content rather than trusted system UI
Phishing attacks could trick users into entering credentials or sensitive information
Content could display misleading security indicators to create false trust

Modern browsers do show a notification when content enters fullscreen mode, but users may dismiss or miss this indication.

How Pink Sock detects this issue:

Pink Sock scans for iframe elements with the allowfullscreen attribute and flags them as a potential security risk, especially when combined with other risk factors like missing sandbox attributes or cross-origin content.

How to fix:

Consider these approaches to mitigate the risk:

Only add allowfullscreen when absolutely necessary for functionality
Use proper sandboxing alongside fullscreen permissions
Only enable fullscreen for trusted content sources
Educate users about fullscreen security indicators

If fullscreen is necessary, combine it with appropriate protections:

<iframe 
  src="../assets/iframe-content.html" 
  allowfullscreen
  sandbox="allow-scripts allow-forms allow-same-origin"
  width="100%" 
  height="300"
></iframe>

Remember that allowing scripts and same-origin together in sandbox can defeat sandbox protections, so evaluate the full security context.

Additional Information

Modern Alternatives

The allowfullscreen attribute is considered a legacy approach. The modern approach is to use the Feature Policy through the allow attribute:

<iframe 
  src="../assets/iframe-content.html" 
  allow="fullscreen"
  width="100%" 
  height="300"
></iframe>

This provides more control and can be combined with other feature policies in a single attribute.

Real-World Attack Scenario

A malicious site could:

Create an iframe with allowfullscreen
Wait for user interaction to trigger fullscreen programmatically
Display a perfect replica of a bank's login page with the correct URL in a fake browser UI
Capture entered credentials when the user attempts to log in
Exit fullscreen mode and redirect to the real site, making the attack difficult to detect

Browser Security Indicators

While browsers do show notifications when content enters fullscreen mode:

Chrome shows a transient notification that fades away
Firefox shows a persistent indication that "This page is in fullscreen mode"
Safari shows a brief approval dialog before entering fullscreen

These protections help but may not be sufficient for all users, especially those unfamiliar with these security indicators.