- From: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
- Date: Wed, 28 Nov 2012 00:22:33 -0800
- To: Fred Andrews <fredandw@live.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAGiwpwgp6rYZsfZPUfJkbHhkLJzL1+omg94dj6LvVsSV6FXr-w@mail.gmail.com>
Hi Fred, In Section 4 of the draft, the proposed "unsafe" boolean flag in the UIEvent object signals the webpage that obstruction was detected by the UA (whether it was caused by an attack or a benign transform). This allows the webpage to react with an extra confirmation dialog, or implement other custom fallbacks. Thanks, David On Wed, Nov 21, 2012 at 2:21 AM, Fred Andrews <fredandw@live.com> wrote: > The issue of transforms applied to an element receiving an event has been > discussed before and the opinion offered was that transformed elements are > not supported. Given that an element needs to be non-transformed to pass > the obstruction check perhaps it would be appropriate to support elements > being presented without transforms when about to receive events. The use > case would be to support rich UI designs that still offer UI safety. > > For example, consider a UI that docks social widgets at the side of a page > and scales them down and applies a perspective transform for effect. If > input protection has been requested then these widgets would need to be > presented unscaled and without the transform to pass the obstruction check. > > Could a UA recognize the issue and present the element in a little popup > when hovering over it, or could the UA apply an extra confirmation step > when an obstruction is detected and present the element unscaled and > without the transform for confirmation? If so then perhaps an > implementation note of the possibilities would be appropriate. > > Might it be appropriate to signal an event that the webpage could use to > implement such presentation itself, with a default left to the UA? If so > then the spec. would presumably need to define this event. > > For the case of a docked widget, a two step process would not be an > unreasonable UI design, and is there enough support for webpage designers > to be able to implement such a design. > > cheers > Fred > >
Received on Wednesday, 28 November 2012 08:23:03 UTC