Closed Bug 265729 Opened 20 years ago Closed 19 years ago

Browser's event handlers should not see untrusted events from content

Categories

(Core :: DOM: UI Events & Focus Handling, enhancement)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 289940

People

(Reporter: jruderman, Unassigned)

Details

Untrusted (synthetic) events have been a major source of security holes: bug
108104, bug 257431, bug 265176, bug 265456, bug 265680, bug 265728, bug 263960.
 The fixes usually involve making the event handlers return immediately if the
event's isTrusted property is false.

If possible, we should plug these holes once and for all by not sending
untrusted events to C++, chrome XUL, and chrome JS handlers.  If some handlers
need to see synthetic events that originated in content (why?), they should have
to somehow specifically ask to receive those events.

*** This bug has been marked as a duplicate of 289940 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.