Untrusted (synthetic) events have been a major source of security holes: bug 108104, bug 257431, bug 265176, bug 265456, bug 265680, bug 265728, bug 263960. The fixes usually involve making the event handlers return immediately if the event's isTrusted property is false. If possible, we should plug these holes once and for all by not sending untrusted events to C++, chrome XUL, and chrome JS handlers. If some handlers need to see synthetic events that originated in content (why?), they should have to somehow specifically ask to receive those events.
*** This bug has been marked as a duplicate of 289940 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
Component: Event Handling → User events and focus handling
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.