W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2009

RE: [DOML3Events] ACTION-267 Proposal for event iterator

From: Mike Wilson <mikewse@hotmail.com>
Date: Fri, 1 May 2009 15:00:15 +0200
Message-ID: <BAY116-DAV90E9237B4FAD35EACAC6AA46D0@phx.gbl>
To: "'Jonas Sicking'" <jonas@sicking.cc>
Cc: <www-dom@w3.org>
Message-ID: <01af01c9ca5c$c5b86d90$acd3503e@mikedeskxp>
Jonas Sicking wrote:
> > Jonas Sicking wrote:
> >> Also, would your example work even if the API only enumerated
> >> page-added event listeners, and not listeners added by the
> >> implementation or user script?
> >
> Mike Wilson wrote:
> > Sorry Jonas, I'm not 100% sure on the terminology with 
> > "implementation and user script", but if you with user scripts 
> > are referring to external script files included by the current 
> > page (<script src=...>) then, yes, event handlers added from 
> > these scripts would need to be included in the handler
> > listing as well.
> > If my answer is not sufficient, could you maybe give me an 
> > example of the kinds of scripts you were thinking about?
> With implementation listeners I mean listeners that the UA adds to the
> DOM using normal DOM APIs. For example a UA might use a pair of
> mouseover/mouseout listeners to display the url for a <a> link in the
> statusbar. Or it can use a click listener to temporarily disable the
> popup blocker.
> With user scripts I mean things like grease monkey scripts 
> that adds listeners.

Thanks for the clarification Jonas.

My expectation as a page author would be not to see any trace of 
implementation listeners. My page didn't create these listeners so
it shouldn't list (or at all bother about) them either. My logical
view of this is that the UA uses an internal API that creates a
certain "category" of handlers that are only accessible by the UA.

User scripts are harder for me to have a well-founded opinion about
as I am not aware of their execution model. The little I have used
GreaseMonkey has given me the impression that they behave like 
forcing extra script includes inside your page and from there behave
like any code delivered with the page.
Basically I would like things to work in an analogous way as for
implementation listeners, i e user script event handlers should only
be visible to user scripts and not to page scripts, but I am not
sure on how feasible that is wrt how GreaseMonkey is implemented

So, having said this, what's your view on how these rules (or
variations of them) would affect the possibility of going forward
and specify event handler enumerability in DOM3?

> Note that putting a glass pane in front of a link is unlikely to be a
> useful "defense" for the page. Especially in the case of click
> listeners since that would mean that the link can't be clicked at all
> and so is useless. And similarly, removing the element and replacing
> it with a new one is likely also a useless defense since the UA or
> greasemonkey script can use for example mutation event listeners to
> detect when the new element is inserted and add a listener to that
> element.

I think you may have misunderstood why I mentioned glass pane etc (but
please excuse if I am misunderstanding you now). I was replying to a
post that said enumerability of handlers would be a security problem
in mashups, as portlets could remove or change each other's event 
handlers. I made a few examples on how they may already attack each 
other with existing APIs.

Best regards
Received on Friday, 1 May 2009 13:01:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:36:54 UTC