W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: in defence of listener discovery (ISSUE-32, ACTION-84)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 11 Apr 2006 16:43:03 -0700
Message-ID: <443C3F07.10009@sicking.cc>
To: Al Gilman <Alfred.S.Gilman@IEEE.org>
Cc: WebAPI WG <public-webapi@w3.org>, wai-liaison@w3.org

>> However, exposing these functions to web pages does not sound like it 
>> is a requirement to you, is that correct? If that is the case, but you 
>> still want an API defined to access this information, maybe we could 
>> define a separate API specifically for accessibility tools that DOM 
>> implementations don't necessarily have to expose to web pages.
>>
>> If we did that I think we would have much greater freedom in adding 
>> functions since there would be virtually no concern about security, 
>> and the API could be defined with an entirely different set of users 
>> in mind (writers of accessibility tools, rather than web developers).
>>
>> Does that sound like a good solution.
> 
> I don't think so.
> 
> What you are suggesting sounds to me as though we would protect
> security holes in event listeners by security-by-obscurity.
> 
> I think this is an unproductive line of investigation, or an
> inappropriate security policy. Not a good place to set up one's
> defences.

Just detecting listeners i guess isn't really a security issue per se, 
but rather a privacy issue. I sometimes bundle the two together though 
they really are separate.

So while listeners should be able to handle being called at any point, 
just the fact that you can see that listeners are there could tell the 
page more about the user then he wants to give out.

But it is a bit worse then that actually. First of all once you get hold 
of a listener, you can unregister it or register them on a new target. 
This might not be something that all listeners could deal with and this 
might be a security problem.

Second, in mozilla we have the concept of 'trusted events'. For example 
a trusted click event is one that originated from the user clicking the 
mouse, rather then from script calling createEvent. EventListeners can 
then register to only be notified about trusted events. This is useful 
for example for popup blocking where you want to be able to tell that a 
user clicked an element that causes a popup to open rather then the page 
dispatching a click event to the element.

For these listeners it would be a security problem if the page could 
call them manually and circumvent the trusted-check. Of course, we could 
simply not expose these listeners to the new APIs, but that would 
probably make the APIs much less useful for accessibility.

/ Jonas
Received on Tuesday, 11 April 2006 23:43:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT