privileged calls to addEventListener should ignore untrusted events by default

RESOLVED INVALID

Status

()

--
enhancement
RESOLVED INVALID
11 years ago
11 years ago

People

(Reporter: jeremy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070507 (Gentoo)
Build Identifier: 

I think in almost all cases privileged code will want to ignore untrusted events.  Not making it the default just leads to mistakes that are possible exploits.

Reproducible: Always

Comment 1

11 years ago
Bug 289940 comment 0 indicates that the plan was for "ignore untrusted events" to be the default for chrome.  Is that not what happened?

Comment 2

11 years ago
Chrome ignores untrusted events by default.
I think this about other privileged code?
The check is IsCallerChrome(), as I recall.  It's really not clear from comment 0 what this bug is about, exactly...
(Reporter)

Comment 4

11 years ago
Oh, it looks like I'm mistaken then.  I had thought the default was the other way around.  Sorry for the noise.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.