- From: Philippe Le Hegaret <plh@w3.org>
- Date: Fri, 24 Aug 2001 11:23:21 -0400
- To: "Arnold, Curt" <Curt.Arnold@hyprotech.com>
- Cc: "'www-dom@w3.org'" <www-dom@w3.org>, w3c-wai-ua@w3.org
"Arnold, Curt" wrote: > EventListenerList: > > This just seems dangerous. If I'm using an event listener to synchronize a > remote copy or to look for business rule auditing, this interface allows so > other code to determine my identity and possibly > remove me from the the event listener map for an object or send fake messages > by attaching me to other documents. I definitely could see some code identifing > that other listeners were slowing it down and removing them. > > I guess as long as you don't provide an method to enumerate EventGroup's, you > could be safe from removal if you use addEventListenerGroup but it wouldn't prevent > the fake message attack. > > The use for this isn't obvious to me, could you explain why the plenary meeting > wanted it. The WAI folks would like to have access to scripting semantics and activation schemes, and thus have access to scripting or role of each event attached to element. the EventListener list improves a bit the situation. We cannot provide a documentation on event handlers to describe what they do, tough. We're going to reconsider the security concerns. Philippe
Received on Friday, 24 August 2001 11:44:54 UTC