Re: [whatwg/dom] [Proposal] Add EventTarget.getEventListeners() (#412) from Andrea Giammarchi on 2022-03-09 (public-webapps-github@w3.org from March 2022)

From: Andrea Giammarchi <notifications@github.com>
Date: Wed, 09 Mar 2022 05:22:40 -0800
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/412/1062916037@github.com>

> There's no security concern, there's an encapsulation concern.

Because JS in browsers preserves the string version of any function, dare I say there are security concerns too.

If any app adds a listener that's created on the backend and includes any sort of secret in it that should be theoretically not visible from any other running script (including the possibility to add such listener and then drop right after the script doing that) such function, which closure/scope should never be known out there, might leak some information once evil script getting randomly all listeners from all forms/inputs out there starts looking for specific details within some listener.

One might think this is all theoretical but where I work it's pretty much the daily way to deal with evil scripts (and vice-versa).

Having any listener exposed is, hence, a security concern too, imho.

> It's pretty much identical to that of closed shadow trees, come to think of it.

Exactly, and here web extensions also asked to have higher privileges ... so maybe this method of getting all listeners should be exposed only to web extensions that declare such intent? Yet please consider my previous point.

Last, but not least, the proposal considers only functions as listeners, instead of `{handleEvent(){}}` listeners, which are pretty common out there, and fully rely to the fact nothing without their reference can interfere with their state.

Exposing these kind of listeners will also result in tons of security/encapsulation concerns because that's a way to weakly relate DOM elements to any instance and most libraries using that pattern won't be inherently safe/working properly anymore.

> What kind of progress were you expecting?

Me, personally, a *won't fix*, not because I don't understand the use case, simply because it's been too many years that libraries trust the fact listeners set privately or ASAP will never be reachaed or removed from the node.

The argument about being able to do that anyway in user-land is also weak because I can trap `addEventListener` on top of the scripts and use that directly being sure that nobody can poison that method, hence securing the environment.

This technique is at the core of our injected code in ABP too and it's been rock-solid for years and (up to 100) million devices and we would never want anything to be able to remove a listener we purposely set because the user wants come guarantee.

Thanks for listening.

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/412#issuecomment-1062916037
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/issues/412/1062916037@github.com>

Received on Wednesday, 9 March 2022 13:22:53 UTC