Sorry step (3) is full page flash plugin, it's not actually full screen. What happens here is that when you click the play button the first time the entire page is covered in flash. When you click the play button a second time the flash opens a new tab which then goes full screen immediately. That full screen tab shows no warning about what happened.

This is the page that opens in full screen:

http://www.nationalsurveypanel.com/rd_p?p=350698&t=24330&c=&a=2107&uid=4829102

note that the page itself when loaded doesn't go full screen on load, it's something in the parent page that triggers it.

Thanks for reporting esprehn@.
Unfortunately, this is not a new vulnerability. For this type of "abuse", we usually rely on safe browsing backend or chrome's client side phishing detection to flag the social engineering page by showing a interstitial. But in this case, since the page does not fall into phishing or malware category, I would say it is work as intended, though personally I hate full screen ads/survey/anything too. 

ppl in the cc list, feel free to chiming-in. 

It doesn't seem working as intended that the browser can transition to full screen mode hiding all OS controls, and not show any notification at all. I thought we showed a warning "This page has gone full screen" with Allow or Deny at the top of the screen. Where did that go?

esprehn@,I totally agree with you that users should be informed about they are in fullscreen and how to exit it. The current challenge is that these type of websites do not use fullscreen permission to trigger full screen (instead, they manipulate the popup window size), therefore no "page gone full screen" warning is shown. 
We probably cannot just blindly block (fullsize) pop-up windows given there maybe legit use cases. As I said, so far we rely on safe browsing backend to block known malicious websites, i.e. the landing page will be blocked before users can get into the fullscreen situation. Google safe browsing team does have detection mechanism in place for this type of phishing/scareware/etc. 

I think you're misunderstanding me, the page is not just manipulating the size, the window is going **actual full screen**. The OS X menu bar hides, the only escape is to go to the top of the screen and click View > Exit Full Screen.

Please try the repro, open http://thevideo.me/cxq7tjtu8ara and follow the steps.

This is what I just saw doing this right now, the page shows an alert() as well, and then tries to phish me with a virus threat.

This is absolutely a Chrome bug, the page is doing OS level full screen and showing no warning dialog.

Deleted: virus-threat.png 83.2 KB

	virus-threat.png 83.2 KB View Download

This is really critical, I don't know what happened to the "This page has gone full screen" dialog that used to appear, but apparently it's gone now. Which means clicking a link on any page can open a popup and then go full screen without you realizing what just happened.

ex.

1) Load https://davidwalsh.name/demo/fullscreen.php
2) Click "Launch full screen"
3) Notice you're now full screen, but Chrome doesn't give you any indication of what happened.

Chrome used to show a bubble at the top (see attached). Now apparently it doesn't show anything.

The issue in this bug is that http://thevideo.me/cxq7tjtu8ara opens a popup which goes full screen right away. That shouldn't even be possible, and we should *definitely* show an info bar or something.

Deleted: full-screen-bubble.png 75.8 KB

	full-screen-bubble.png 75.8 KB View Download

Note that Safari and Firefox don't go full screen on this page. Safari also doesn't seem to show any full screen warning... sigh. Firefox does show a warning.

Somehow the page in Chrome going full screen does it in such a way that the omnibox is also hidden even when you mouse to the top of the screen. Safari also hides the address bar, but at least keeps the window chrome so an average user can figure out how to escape (click the green bubble). Chrome has no green bubble to click. If I was a regular user (ex. my dad) I'd probably freak out and close Chrome entirely.

Note that if you go full screen on https://davidwalsh.name/demo/fullscreen.php and mouse to the top of the screen the address bar does come back. So it something about thevideo.me that both goes full screen, and in such a way that the address bar vanishes, and also does it for a fresh popup.

Deleted: firefox-warning.png 42.2 KB

	firefox-warning.png 42.2 KB View Download

Deleted: full-screen-chrome-no-address-bar.png 636 KB

	full-screen-chrome-no-address-bar.png 636 KB View Download

Deleted: chrome-full-screen-no-green-bubble.png 747 KB

	chrome-full-screen-no-green-bubble.png 747 KB View Download

Deleted: safari-green-bubble.png 61.8 KB

	safari-green-bubble.png 61.8 KB View Download

Interesting. I wonder if the page is serving different content to different people. I assumed that it was a mac only regression, but on my make I get a popup, not fullscreen. But I watched esprehn do this and it was definitely doing the OS fullscreen behavior on his mac laptop.

Adding in someone familiar with Flash and someone familiar with fullscreen, and flagging as security UX and Flash (while removing myself).

There are two parallel issues being discussed on this thread: 
1. Confusion about the behavior of the new Fullscreen API prompt.
2. Concern that Flash can promote pages into fullscreen without user visible warning. 

On #1 - in M49 Views, M50 Mac we replaced the fullscreen infobar with a new prompt. It shows every time a site goes to fullscreen, and again after 15 minutes of inactivity - a screenshot of this prompt on https://davidwalsh.name/demo/fullscreen.php is attached. If you're not seeing a fullscreen prompt at all on sites that use the fullscreen web API, then that is a bug and a separate issue should be filed. 

On #2 - the original issue filed appears to be regarding how Flash jumps pages into fullscreen. I'm having trouble reproducing the bug myself, so if you could film a screencast of this happening on http://thevideo.me/cxq7tjtu8ara that would make it much easier to figure out what's specifically happening in this case and how we can resolve this issue. 

Deleted: Screen Shot 2016-03-08 at 10.09.56 AM.png 176 KB

	Screen Shot 2016-03-08 at 10.09.56 AM.png 176 KB View Download

Looks to impact desktop platforms w/ Flash, add additional OS tags as appropriate - we use these to track blockers and hold pushes accordingly.

We're about 2 weeks away from M51 Beta launch. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged ASAP. Thank you.

govind@, this issue doesn't have an owner.

Prudhvi, could you please try to find an owner for this?

jschuh@ Did we remove the full screen warning dialog on purpose?

I did finally manage to reproduce something on this rather questionable site. It's not full screen, but a window.open with no/minimal chrome (only the URL bar is showing, and it says the page is from offers.alibaba.com), and the window is the full size of my screen. Or, it's maximized. Yeah, it's maximized. I reproduced it again, and this time the URL is http://eclkmpsa.com/adServe/banners?tid=ADSTERRADL&action=r.

As far as I can tell, this site is not abusing Flash or element.webkitRequestFullscreen, but rather it's abusing window.open. I guess we have some kind of maximize=yes option or something?

So, maybe we should remove that.

I reported the site to Safe Browsing.

I don't track the security UX, but I assume felt@ can either provide or point you to someone with context.

Re #22, 24: egm already answered this question in detail in comment #15.

I do see the full screen warning now that says "Press ESC to exit", when I originally tested this a month ago I got no warning at all... maybe it was fixed?

Note that this site is using ads, and the ads serve different content to different people. For me it would actually native full screen, not window.open() maximized.

M51 Beta is launching very soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-19th to make into the desktop Beta build cut. Thanks!

Sigh, lets WontFix this. The ad was definitely doing something that made us go full screen with no dialog at all. Unfortunately ads also serve you different content all the time, so I suspect we can't repro this now.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Security>UX component is deprecated in favor of the Team-Security-UX label