[Bug 9602] Autofocus attribute. from bugzilla@jessica.w3.org on 2010-08-05 (public-html-bugzilla@w3.org from August 2010)

From: <bugzilla@jessica.w3.org>
Date: Thu, 05 Aug 2010 14:12:53 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Oh1Bl-0003c3-Vl@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602


Shelley Powers <shelleyp@burningbird.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |shelleyp@burningbird.net




--- Comment #11 from Shelley Powers <shelleyp@burningbird.net>  2010-08-05 14:12:53 ---
(In reply to comment #10)
> (In reply to comment #9)
> > Is anyone seriously going to go out of their way to attack the tiny percentage
> > of users who have script disabled?  Normal attackers will just use script,
> > something as convoluted as this is not worth the effort to them -- simple XSS
> > would be much easier to write and much more effective.  If some users don't
> > want autofocus, they can turn off autofocus as well as script (if their browser
> > permits).
> 
> I think that argument goes both ways. Who needs to autofocus something? Google?
> I mean; what is it use, if the same can be accomplished by JavaScript too? 
> 
> Besides, there is a great percentage of user that have the NoScript extension
> for FireFox installed. Another considerate amount of users have disabled
> JavaScript altogether for obvious security purposes.
> 
> I like the idea of the option to turn if off. In FireFox this doesn't seem
> possible yet? at least not in the configuration screen. But as Anne suggested,
> if JavaScript is disabled, such attribute routines could be turned off as well.
> The latter would be great in my opinion.


Unfortunately, this doesn't solve the problem of autofocus being a security
gap. As has been discussed in the bug to deprecate noscript, corporations
incorporate software into their firewalls to strip JavaScript from pages served
to their employees. However, the employee browsers still show that script is
enabled. 

Since there would be no indication that scripting is turned off in these
circumstances, there would be nothing to trigger "turning off" autofocus. This
would leave these employees particularly vulnerable, as they would assume that
pages are safe, because scripting has been disabled.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Thursday, 5 August 2010 14:12:55 UTC