W3C home > Mailing lists > Public > www-dom@w3.org > July to September 2011

Re: Valid auto-invocation events

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 06 Sep 2011 09:45:18 -0400
Message-ID: <4E6623EE.8010906@mit.edu>
To: www-dom@w3.org
On 9/6/11 7:52 AM, Robin Berjon wrote:
> in working on the Contacts API[0], DAP has described a security model in which opening up a contacts picker (which is similar in idea to a file picker, but  you guessed if  for contacts rather than files) can be triggered only by code that traces back to a genuine user action.
> The set of events that could pull that trigger was called "valid auto-invocation events"[1], and defined to include click, dblclick, and mouseup.

I strongly object to this definition.  The concept of "user action" is 
very UA-specific, and should in my opinion be up to the UA.

For example, I believe as a UA author I should have the option of 
treating a click on "opacity:0.00001" content as not a user action.... 
I fully expect UAs to end up implementing such heuristics as more and 
more sites try to use hacks like that to work around UA popup blocking; 
if we put even more important things than popups in the same bucket, 
then there will be even more incentive for both the hacks and the 
improved heuristics.

> It would seem that this could usefully be shared across several specifications that might wish to rely on the same kind of limitation and that guaranteeing some interoperability would be helpful here.

I agree that sharing this definition across specifications is a really 
good idea, because I expect it to be hard to define this sanely.

Received on Tuesday, 6 September 2011 13:45:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:18 UTC