Security/Reviews/Firefox5/ReviewNotes/click

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Date of Review:2011.04.28 & 2011.05.02

Item Reviewed

Concern:

  • Click should not count as a real click
    • this is an untrusted synthetic event thus does not cause problems with form submissions or popup blocking
  • Bug calls for file picker to come up on file control?
    • Events are tracked for handling to allow or deny popup control state
  • Does onaccesskey override our accesskeys?
    • It may in some cases, but should webapps be able to do this?
    • Not defined in any spec, there are bugs in both directions
    • some things should not be override-able, but this is not necessarily a security issue

Actions:

  • File a bug that file picker should be subject to pop-up blocker logic. Calling click() should not be trusted, but sites that call click() in response to a real user click on another button should be OK. Works in some cases not in others, appears to be a popup blocker bug.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox5/ReviewNotes/click&oldid=383653"