- From: Masayuki Nakano <notifications@github.com>
- Date: Wed, 27 Sep 2017 23:21:19 -0700
- To: w3c/uievents <uievents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 28 September 2017 06:22:12 UTC
If untrusted event always triggers default actions, what happens with untrsuted event can be a lot of good hits for fingerprinting. Additionally, it may cause leaking privacy. E.g., if Ctrl+V (paste in most platforms) is allowed, web app can steal any data in the clipboard. E.g., user might copied a password into the clipboard. Of course there are some default actions which should be performed for backward compatibility. E.g., click event on an <a href> element. So, untrusted events shouldn't trigger any default action unless it is important for backward compatibility. However, if web apps need to kick some default action, the action should be able to be performed with a new API rather than using untrusted event. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/uievents/issues/160#issuecomment-332739249
Received on Thursday, 28 September 2017 06:22:12 UTC