> Remove "(site) is now fullscreen" nag message and make it faster
For a list that want to make the browser more secure, why do they want to remove the only line of defense against sites using fullscreen mode for phishing?
> Disable PDF reader
PDF.js has fewer security vulnerabilities than desktop PDF readers.
> Disable 'safe browsing' aka. Google tracking/logging
> PDF.js has fewer security vulnerabilities than desktop PDF readers.
You can limit desktop readers with something like AppArmor (no network access, only allowed to read files, only allowed to open *.pdf files, etc). You can't (AFAIK) do that with PDF.js.
AppArmor can't do a *.pdf restriction. Even if it could, you still let through access to every pdf on your system.
The point here is that the sandboxing needs to be watertight, or it's simply not effective. pdf.js runs in the JS sandbox, but here the file origin checking failed. Placing an OS-level sandbox around it doesn't help unless it is just as tight.
The warning is a bit annoying, but without it attacks like this would be harder to spot: http://feross.org/html5-fullscreen-api-attack/ (it's just a proof-of-concept, no malicious payload)
Who are all these people who apparently run their browser maximized? Web pages generally get worse as the window gets wider. (Unless, of course, they control their own width, but that's its own obvious prompt to stop wasting all your screen space.)
No, it would still have to be a small squarish display. Fixing the aspect ratio won't fix the problem that you have way more space than the website will take.
For a list that want to make the browser more secure, why do they want to remove the only line of defense against sites using fullscreen mode for phishing?
> Disable PDF reader
PDF.js has fewer security vulnerabilities than desktop PDF readers.
> Disable 'safe browsing' aka. Google tracking/logging
This seems like a really bad idea for most users