Security/Reviews/Firefox5/ReviewNotes/click

From MozillaWiki
Jump to: navigation, search

Date of Review:2011.04.28 & 2011.05.02

Item Reviewed

Concern:

  • Click should not count as a real click
    • this is an untrusted synthetic event thus does not cause problems with form submissions or popup blocking
  • Bug calls for file picker to come up on file control?
    • Events are tracked for handling to allow or deny popup control state
  • Does onaccesskey override our accesskeys?
    • It may in some cases, but should webapps be able to do this?
    • Not defined in any spec, there are bugs in both directions
    • some things should not be override-able, but this is not necessarily a security issue

Actions:

  • File a bug that file picker should be subject to pop-up blocker logic. Calling click() should not be trusted, but sites that call click() in response to a real user click on another button should be OK. Works in some cases not in others, appears to be a popup blocker bug.