W3C home > Mailing lists > Public > w3c-wai-ua@w3.org > July to September 2001

Re: DOM 3 Events comments

From: Philippe Le Hegaret <plh@w3.org>
Date: Fri, 24 Aug 2001 11:23:21 -0400
Message-ID: <3B867169.56193394@w3.org>
To: "Arnold, Curt" <Curt.Arnold@hyprotech.com>
Cc: "'www-dom@w3.org'" <www-dom@w3.org>, w3c-wai-ua@w3.org
"Arnold, Curt" wrote:
> EventListenerList:
> 
> This just seems dangerous.  If I'm using an event listener to synchronize a
> remote copy or to look for business rule auditing, this interface allows so
> other code to determine my identity and possibly
> remove me from the the event listener map for an object or send fake messages
> by attaching me to other documents.  I definitely could see some code identifing
> that other listeners were slowing it down and removing them.
> 
> I guess as long as you don't provide an method to enumerate EventGroup's, you
> could be safe from removal if you use addEventListenerGroup but it wouldn't prevent
> the fake message attack.
> 
> The use for this isn't obvious to me, could you explain why the plenary meeting
> wanted it.

The WAI folks would like to have access to scripting semantics and activation
schemes, and thus have access to scripting or role of each event attached to
element. the EventListener list improves a bit the situation. We cannot provide
a documentation on event handlers to describe what they do, tough. We're going to
reconsider the security concerns.

Philippe
Received on Friday, 24 August 2001 11:44:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 06:50:58 GMT