- From: Szymon Marczak via GitHub <noreply@w3.org>
- Date: Tue, 24 Jun 2025 15:28:45 +0000
- To: public-pointer-events@w3.org
> That scenario is indeed remedied by permission controlled APIs as you suggested at the cost of users needing to take an explicit action and there are quite a lot of them as well and they are used for generally more sensitive stuff No, it does not remedy anything. It just disables autoplay (irritating behavior) & auto full screen (full screen scam popups). Which is a good thing for non-technical people. > The goal here was to protect against man in the middle attacks There is no correlation between raw mouse events and man in the middle. If you have proof, even theoretical, I'd love to read it. Like I said earlier, even though you can't use browser-implemented hash functions, you can import a third party library at the cost of additional technical debt. > disallow a script that doesn't belong to the host a user Disabling raw mouse events does not achieve that. If someone wants to disallow MITM, then they need to use encryption. However, one need not do MITM to perform an attack. They can use a domain that is very similar to the victim. So using HTTPS does not prevent such attacks, any limitations on unencrypted HTTP are pointless. -- GitHub Notification of comment by szmarczak Please view or discuss this issue at https://github.com/w3c/pointerevents/pull/318#issuecomment-3000967774 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 24 June 2025 15:28:46 UTC