- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 06 Sep 2011 09:45:18 -0400
- To: www-dom@w3.org
On 9/6/11 7:52 AM, Robin Berjon wrote: > in working on the Contacts API[0], DAP has described a security model in which opening up a contacts picker (which is similar in idea to a file picker, but — you guessed if — for contacts rather than files) can be triggered only by code that traces back to a genuine user action. ... > The set of events that could pull that trigger was called "valid auto-invocation events"[1], and defined to include click, dblclick, and mouseup. I strongly object to this definition. The concept of "user action" is very UA-specific, and should in my opinion be up to the UA. For example, I believe as a UA author I should have the option of treating a click on "opacity:0.00001" content as not a user action.... I fully expect UAs to end up implementing such heuristics as more and more sites try to use hacks like that to work around UA popup blocking; if we put even more important things than popups in the same bucket, then there will be even more incentive for both the hacks and the improved heuristics. > It would seem that this could usefully be shared across several specifications that might wish to rely on the same kind of limitation and that guaranteeing some interoperability would be helpful here. I agree that sharing this definition across specifications is a really good idea, because I expect it to be hard to define this sanely. -Boris
Received on Tuesday, 6 September 2011 13:45:48 UTC