- From: Rick Byers via GitHub <sysbot+gh@w3.org>
- Date: Mon, 25 Apr 2016 15:22:11 +0000
- To: public-pointer-events@w3.org
The IDs for touch are often small and monotonically increasing in Edge (and it's of course entirely predictable for mouse), so I think there is a legitimate attack possible here (eg. could probably even try calling `setPointerCapture` on thousands of possible IDs on every RAF tick). @NavidZ do you want to see if you can write a proof-of-concept for this and try it on Edge? Eg. even having some cross-origin iframe attempt to `setPointerCapture` the mouse ID every RAF. I expect there will be some mitigation in the implementation that isn't captured by the spec. Here's a couple possible mitigations: 1. Restrict `setPointerCapture` to occurring only within the scope of a pointer event handler. Since you can only synchronously communicate between frames when they're the same origin, this should be adequate to eliminate any attack. But this might break some existing legitimate use cases where the decision to capture is made asynchronously. 2. Make `setPointerCapture` fail when the last target for the event belongs to a document that is not the same or a descendant of the document being captured to. This would still prevent some potentially useful scenarios, so we could augment this with: 3. Also allow `setPointerCapture` into a particular document when the pointer is already captured to an `HTMLIframeElement` which is the `frameElement` corresponding to the targeting Element's `ownerDocument`. -- GitHub Notification of comment by RByers Please view or discuss this issue at https://github.com/w3c/pointerevents/issues/16#issuecomment-214390414 using your GitHub account
Received on Monday, 25 April 2016 15:23:59 UTC