Re: [pointerevents] setPointerCapture should say something about iframes

Thanks, this mostly sounds good to me (I love the lack of special 
cases here).  But I'm worried it's not quite enough to maintain 
security properties I thought were important (so figured there was 
probably some special case in implementations here).  In particular, 
if the assignment of pointer IDs is predictable, then this allows an 
iframe to steal input events for touches that are nowhere near it.  
So, for example, an ad sandboxed in an iframe could cause any 
tap/click on the page to open a pop-up of it's choosing.  In some 
cases, the pattern of mouse/touch events themselves may be sensitive -
 eg. for a site that has a pin-pad for entering your password - an 
iframe shouldn't have access to those input events, right?

-- 
GitHub Notif of comment by RByers
See 
https://github.com/w3c/pointerevents/issues/16#issuecomment-115089089

Received on Thursday, 25 June 2015 03:26:23 UTC