Closed Bug 406364 Opened 17 years ago Closed 17 years ago

privileged calls to addEventListener should ignore untrusted events by default

Categories

(Core :: DOM: Events, enhancement)

Product:
Core
Component:
DOM: Events
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jeremy, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070507 (Gentoo)
Build Identifier: 

I think in almost all cases privileged code will want to ignore untrusted events.  Not making it the default just leads to mistakes that are possible exploits.

Reproducible: Always
Bug 289940 comment 0 indicates that the plan was for "ignore untrusted events" to be the default for chrome.  Is that not what happened?
Chrome ignores untrusted events by default.
I think this about other privileged code?
The check is IsCallerChrome(), as I recall.  It's really not clear from comment 0 what this bug is about, exactly...
Oh, it looks like I'm mistaken then.  I had thought the default was the other way around.  Sorry for the noise.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.