requestFullscreen() is deprecated on insecure origin, and support will be removed in the future

Question

I'm getting this message in the console.

requestFullscreen() is deprecated on insecure origins, and support will be removed in the future.
You should consider switching your application to a secure origin, such as HTTPS. 
See https://goo.gl/rStTGz for more details.

I think that removing full screen functionality for regular http is not a good idea. So will videos, games, and all casual full screen web applications require https too?

I know that F11(Windows) or Cmd + F(Mac) will bring the app to the full screen anyway but now WebVR is coming, games in WebGL and other immersive experiences so don't you think that this will be a step back?

Answer 1

Why is the fullscreen API restricted?

The fullscreen API allows malicious websites to mimic the webbrowser's and operating system's UI. While this may be visible for experienced users, novice computer users may not be able to distinguish the fake UI and the real one. This effect is even more pronounced on mobile operating systems, where the system UI is quite sparse and very predictable.

A potential attack could be to render a normal website/game upon going to fullscreen, but also mimic the browser chrome. When the user enters a new URL or opens a new tab, the content and the browser/OS UI is then under full control of the attacker.

For instance, the website may send you an email, and then fake your gmail web interface login, green padlock and all, to steal your email credentials. Advanced attacks could even go into an normal full screen (without any UI) and offer a fake "End fullscreen" button.

For these reasons, web browsers limit the fullscreen API with a per-origin configuration. Typically, upon going to fullscreen for the first time, the browser asks you if it is ok. If you confirm, the web browser allows the origin to enter full screen without a feedback next time.

An additional common restriction is that fullscreen can not be entered upon page load, but requires a user interaction.

Why is HTTPS required to maintain the restriction?

Assume there is a popular game site that uses the fullscreen API via HTTP. Then there is an obvious security hole: Every attacker on your route to the Internet can go into fullscreen by redirecting any unencrypted request to that website, and then rendering their own attacker code.

While it's rare (but certainly not impossible) for criminal attackers to run such an attack, there are multiple state-sponsored attackers who even try to fake TLS certificates.

Will videos, games, and all casual full screen web applications require HTPS too?

If you want your website to be accessible in networks with censorship and/or JavaScript injection attacks, you need to use HTTPS anyways.

Since that it doesn't cost anything to obtain a TLS certificate and the overhead of encryption is negligible and insecure websites will generate a browser warning in the near future, the answer is:

Yes, all websites require HTTPS.