- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 11 Apr 2006 16:43:03 -0700
- To: Al Gilman <Alfred.S.Gilman@IEEE.org>
- Cc: WebAPI WG <public-webapi@w3.org>, wai-liaison@w3.org
>> However, exposing these functions to web pages does not sound like it >> is a requirement to you, is that correct? If that is the case, but you >> still want an API defined to access this information, maybe we could >> define a separate API specifically for accessibility tools that DOM >> implementations don't necessarily have to expose to web pages. >> >> If we did that I think we would have much greater freedom in adding >> functions since there would be virtually no concern about security, >> and the API could be defined with an entirely different set of users >> in mind (writers of accessibility tools, rather than web developers). >> >> Does that sound like a good solution. > > I don't think so. > > What you are suggesting sounds to me as though we would protect > security holes in event listeners by security-by-obscurity. > > I think this is an unproductive line of investigation, or an > inappropriate security policy. Not a good place to set up one's > defences. Just detecting listeners i guess isn't really a security issue per se, but rather a privacy issue. I sometimes bundle the two together though they really are separate. So while listeners should be able to handle being called at any point, just the fact that you can see that listeners are there could tell the page more about the user then he wants to give out. But it is a bit worse then that actually. First of all once you get hold of a listener, you can unregister it or register them on a new target. This might not be something that all listeners could deal with and this might be a security problem. Second, in mozilla we have the concept of 'trusted events'. For example a trusted click event is one that originated from the user clicking the mouse, rather then from script calling createEvent. EventListeners can then register to only be notified about trusted events. This is useful for example for popup blocking where you want to be able to tell that a user clicked an element that causes a popup to open rather then the page dispatching a click event to the element. For these listeners it would be a security problem if the page could call them manually and circumvent the trusted-check. Of course, we could simply not expose these listeners to the new APIs, but that would probably make the APIs much less useful for accessibility. / Jonas
Received on Tuesday, 11 April 2006 23:43:35 UTC