W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

[webappsec] Handling unsafe UI events

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 14 Oct 2013 16:14:02 -0700
Message-ID: <CAEeYn8h_Q4bqgpKiWF2fgoUEiJrG8_ZOyXtugcGxABTnxNM_WQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Issue 52 was raised by Adam Barth at the last F2F.  The nutshell
description we recorded was:

"requiring every handler to check unsafe makes it difficult to write the
correct code. better would be to be able to provide a wrapper function that
filters or intercepts all unsafe events so they can be acted on wherever
they are generated."

I am curious if and what spec text changes this implies.

It is my understanding that a resource author that wished to handle events
in this way could register a capturing handler on the root node of the
document to stop propagation of any event with the unsafe flag set and
forward them to a global function to deal with the violation.  (
http://www.w3.org/TR/DOM-Level-2-Events/events.html)  Is that a correct
interpretation?  Should we add advice to resource implementers to this
effect?

-Brad
Received on Monday, 14 October 2013 23:14:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC