W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: [webappsec] Handling unsafe UI events

From: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Date: Tue, 15 Oct 2013 13:46:37 -0700
Message-ID: <CAGiwpwj1CD-CrdSv3L=s3SGi0hJue_Po-AyruhT42SW=dGYkGg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Oct 14, 2013 at 4:14 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Issue 52 was raised by Adam Barth at the last F2F.  The nutshell
> description we recorded was:
>
> "requiring every handler to check unsafe makes it difficult to write the
> correct code. better would be to be able to provide a wrapper function that
> filters or intercepts all unsafe events so they can be acted on wherever
> they are generated."
>
> I am curious if and what spec text changes this implies.
>
> It is my understanding that a resource author that wished to handle events
> in this way could register a capturing handler on the root node of the
> document to stop propagation of any event with the unsafe flag set and
> forward them to a global function to deal with the violation.  (
> http://www.w3.org/TR/DOM-Level-2-Events/events.html)  Is that a correct
> interpretation?  Should we add advice to resource implementers to this
> effect?
>

What you described should work, and supplying an advice into the spec
sounds fine with me.


(One note is that there are browsers that only do event bubbling rather
than event capturing, but those browsers are not be W3C-compliant to begin
with. http://www.quirksmode.org/js/events_order.html)


> -Brad
>
Received on Tuesday, 15 October 2013 20:47:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC