Browser's event handlers should not see untrusted events from content

RESOLVED DUPLICATE of bug 289940

Status

()

enhancement
RESOLVED DUPLICATE of bug 289940
15 years ago
a month ago

People

(Reporter: jruderman, Unassigned)

Tracking

1.7 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
Untrusted (synthetic) events have been a major source of security holes: bug
108104, bug 257431, bug 265176, bug 265456, bug 265680, bug 265728, bug 263960.
 The fixes usually involve making the event handlers return immediately if the
event's isTrusted property is false.

If possible, we should plug these holes once and for all by not sending
untrusted events to C++, chrome XUL, and chrome JS handlers.  If some handlers
need to see synthetic events that originated in content (why?), they should have
to somehow specifically ask to receive those events.
(Reporter)

Comment 1

14 years ago

*** This bug has been marked as a duplicate of 289940 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
Component: Event Handling → User events and focus handling
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.