W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2008

[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

From: Michal Zalewski <lcamtuf@dione.cc>
Date: Sun, 28 Sep 2008 11:25:53 +0200 (CEST)
Message-ID: <Pine.LNX.4.64.0809281118260.10659@dione.cc>
On Sat, 27 Sep 2008, Jim Jewett wrote:

> uhm... that is exactly when involuntary actions are *most* likely.

It's not about merely clicking something accidentally - it's about 
clicking at a very specific place, as intended by the attacker, to trigger 
a very specific functionality on a targeted page. So I do not quite see 
how random "frustration" / wrong window focus clicks could apply (and it's 
a problem that no application is really designed to handle [1]).

> Many programs become unresponsive during launch and/or setup.  I
> typically switch to another program (or another page), but the mouse
> events (and even keyboard keys) don't always go to the right place.

That's odd, and I would be willing to say that this is a problem that 
needs to be addressed by your window manager or OS vendor. Window focus 
management and message queues should be independent of any particular 
application's responsiveness to messages sent to it.

I honestly do not recall any situation where I would end up sending click 
events to the wrong application because the focus switch operation I just 
executed seemed to work, but in reality did not (if the application is not 
responsive, it would very likely not redraw itself, which means I would 
have nothing to click on).

Cheers,
/mz

[1] Well, except for http://www.bitboost.com/pawsense/
Received on Sunday, 28 September 2008 02:25:53 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:05 UTC