- From: Giorgio Maone <g.maone@informaction.com>
- Date: Tue, 07 Jun 2011 19:28:35 +0200
- To: "sird@rckc.at" <sird@rckc.at>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, public-web-security@w3.org
sird@rckc.at wrote, On 07/06/2011 19.15: > Minimum visibility you mean that unless the marked element is not > completely visible, then it shouldn't be clickable? > > -- Eduardo BTW, that's exactly what ClearClick enforces (it actually checks for keyboard events too, so "shouldn't be interactive" with a warning and an option to unlock): http://noscript.net/faq#clearclick -- G > > > On Tue, Jun 7, 2011 at 11:56 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote: >>>> 2) What if the button is visible (and therefore interactive), but only >>>> for a very short period of time before a premeditated click (not >>>> enough to give the user a chance to respond)? >>> This is something the host page could detect right? How long the mouse >>> is hovered over. >> >> And for that part - sort of, though not very easily (there are many >> odd corner cases, plus considerations with accessibility technologies >> or keyboard browsing). >> >> But most importantly, it's ugly, like framebusting or referrer >> clicking. Browser-enforced minimum visibility would probably be a >> useful part of a proposal like that. But that brings us pretty close >> to the original whatwg discussion ;-) >> >> /mz >> >
Received on Tuesday, 7 June 2011 17:29:03 UTC