Re: [pointerevents] setPointerCapture should say something about iframes

We [discussed this 
today](https://www.w3.org/2016/04/26-pointerevents-minutes.html#item04)
 on the call.

It sounds like there's agreement that at a minimum sandboxed iframes 
shouldn't permit capture from outside their frame in order to prevent 
user annoyance, in the same way that they [don't permit pointer 
lock](https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-pointer-lock)
 by default.

However it's not clear whether there is real privacy/security risk 
here in practice.  There are a number of reasons this is hard to 
usefully exploit.  Discussion of this is moving to [this private 
issue](https://bugs.chromium.org/p/chromium/issues/detail?id=606896) 
to permit concrete discussion of potential attack vectors.

-- 
GitHub Notification of comment by RByers
Please view or discuss this issue at 
https://github.com/w3c/pointerevents/issues/16#issuecomment-214862782 
using your GitHub account

Received on Tuesday, 26 April 2016 19:41:12 UTC