- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 19 Sep 2009 22:26:13 -0400
- To: Travis Leithead <travil@microsoft.com>
- CC: "www-dom@w3.org" <www-dom@w3.org>
On 9/19/09 6:06 PM, Travis Leithead wrote: > You raise an interesting security consideration though not a new one. Script-dispatchable events have been the means of working around pop-up blockers and the likes for some time. It might be worth exploring how to guarantee that clicks are from "genuine" sources For what it's worth, Gecko exposes this as the isTrusted readonly boolean attribute on events. If true, that means the event was created by the browser itself (including sufficiently privileged script in "browser" here), not by random script on a webpage... I don't think this is what Krzysztof was complaining about, though. His issue is that the browser itself wil create click events when no click actually occurred, for compat with existing content (most of which predates widespread support for DOMActivate or has been cargo-culted or both). -Boris
Received on Sunday, 20 September 2009 02:27:00 UTC