- From: Rick Byers via GitHub <sysbot+gh@w3.org>
- Date: Thu, 25 Jun 2015 03:26:18 +0000
- To: public-pointer-events@w3.org
Thanks, this mostly sounds good to me (I love the lack of special cases here). But I'm worried it's not quite enough to maintain security properties I thought were important (so figured there was probably some special case in implementations here). In particular, if the assignment of pointer IDs is predictable, then this allows an iframe to steal input events for touches that are nowhere near it. So, for example, an ad sandboxed in an iframe could cause any tap/click on the page to open a pop-up of it's choosing. In some cases, the pattern of mouse/touch events themselves may be sensitive - eg. for a site that has a pin-pad for entering your password - an iframe shouldn't have access to those input events, right? -- GitHub Notif of comment by RByers See https://github.com/w3c/pointerevents/issues/16#issuecomment-115089089
Received on Thursday, 25 June 2015 03:26:23 UTC