W3C home > Mailing lists > Public > www-dom@w3.org > July to September 2009

Re: click event considered broken

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 19 Sep 2009 22:26:13 -0400
Message-ID: <4AB592C5.8090805@mit.edu>
To: Travis Leithead <travil@microsoft.com>
CC: "www-dom@w3.org" <www-dom@w3.org>
On 9/19/09 6:06 PM, Travis Leithead wrote:
> You raise an interesting security consideration though not a new one. Script-dispatchable events have been the means of working around pop-up blockers and the likes for some time. It might be worth exploring how to guarantee that clicks are from "genuine" sources

For what it's worth, Gecko exposes this as the isTrusted readonly 
boolean attribute on events.  If true, that means the event was created 
by the browser itself (including sufficiently privileged script in 
"browser" here), not by random script on a webpage...

I don't think this is what Krzysztof was complaining about, though.  His 
issue is that the browser itself wil create click events when no click 
actually occurred, for compat with existing content (most of which 
predates widespread support for DOMActivate or has been cargo-culted or 
both).

-Boris
Received on Sunday, 20 September 2009 02:27:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 22 June 2012 06:14:03 GMT