W3C home > Mailing lists > Public > public-pointer-events@w3.org > April to June 2015

Re: [pointerevents] setPointerCapture should say something about iframes

From: Rick Byers via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Jun 2015 03:26:18 +0000
To: public-pointer-events@w3.org
Message-ID: <issue_comment.created-115089089-1435202777-sysbot+gh@w3.org>
Thanks, this mostly sounds good to me (I love the lack of special 
cases here).  But I'm worried it's not quite enough to maintain 
security properties I thought were important (so figured there was 
probably some special case in implementations here).  In particular, 
if the assignment of pointer IDs is predictable, then this allows an 
iframe to steal input events for touches that are nowhere near it.  
So, for example, an ad sandboxed in an iframe could cause any 
tap/click on the page to open a pop-up of it's choosing.  In some 
cases, the pattern of mouse/touch events themselves may be sensitive -
 eg. for a site that has a pin-pad for entering your password - an 
iframe shouldn't have access to those input events, right?

GitHub Notif of comment by RByers
Received on Thursday, 25 June 2015 03:26:23 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 25 June 2015 03:26:23 UTC