Re: [pointerevents] setPointerCapture should be disabled in sandboxed iframes by default from Navid Zolghadr via GitHub on 2018-03-29 (public-pointer-events@w3.org from January to March 2018)

From: Navid Zolghadr via GitHub <sysbot+gh@w3.org>
Date: Thu, 29 Mar 2018 15:42:25 +0000
To: public-pointer-events@w3.org
Message-ID: <issue_comment.created-377277839-1522338144-sysbot+gh@w3.org>

I talked again with the folks here and as I said in the call they don't see a security risk here (also mentioned in [that private chromium bug](https://bugs.chromium.org/p/chromium/issues/detail?id=606896) with MS people and others). There might be an abuse of the API that may cause some user annoyance but we suggest to keep things as is and if that becomes a thing then we add more restrictions to the API as this is the pattern in the web platform for potential user annoyance from an API. I added future-v3 for now to keep and eye on this issue. I'm happy to discuss this further with other security folks @plehegar.

-- 
GitHub Notification of comment by NavidZ
Please view or discuss this issue at https://github.com/w3c/pointerevents/issues/16#issuecomment-377277839 using your GitHub account

Received on Thursday, 29 March 2018 15:42:29 UTC