Bug 1555337 Comment 5 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

> > A user clicks on a link, and the URL is loaded, then redirects to another URL which is loaded.
> Is this limited to HTTP 3xx redirects? Or does it include scripted "redirects" via location sets, <meta> refresh "redirects", etc?
This is to stop attacks on an app-links system. If the web page isn't changed, but some other native code is executed, then this code could be executed multiple times. This may make the browser unusable, or be an explicit attack on a third party app.

>> A user taps on a button, and JS starts a timer to change the window.location.
> What if the timer is for 1 hour? Should that still count as user interaction?
I included this as it was a way of implementing app banners. I don't know if this method of implementing app banners is discouraged now, and therefore this should not be `triggeredByUserInteraction`.

> An obvious thing missing from the list is "user taps a button, and JS creates a Promise whose resolution changes window.location".
You're right. I don't think comment #0 is exhaustive.
> > A user clicks on a link, and the URL is loaded, then redirects to another URL which is loaded.

> Is this limited to HTTP 3xx redirects? Or does it include scripted "redirects" via location sets, <meta> refresh "redirects", etc?

This is to stop attacks on an app-links system. If the web page isn't changed, but some other native code is executed, then this code could be executed multiple times. This may make the browser unusable, or be an explicit attack on a third party app.

>> A user taps on a button, and JS starts a timer to change the window.location.

> What if the timer is for 1 hour? Should that still count as user interaction?

I included this as it was a way of implementing app banners. I don't know if this method of implementing app banners is discouraged now, and therefore this should not be `triggeredByUserInteraction`.

> An obvious thing missing from the list is "user taps a button, and JS creates a Promise whose resolution changes window.location".

You're right. I don't think comment #0 is exhaustive.

Back to Bug 1555337 Comment 5