Open Bug 812202 Opened 8 years ago Updated 8 years ago
Mouse Event with ctrlkey flag
Summary: initMouseEvent with ctrl flag bug → initMouseEvent with ctrlkey flag
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Version: 16 Branch → 6 Branch
The event listener that handles ctrl+click is part of the UI, not Gecko, and is only listening for trusted events. Whether we want to allow opening new tabs from untrusted events like that is up to the UI folks, obviously.
Component: DOM: Core & HTML → Tabbed Browser
Product: Core → Firefox
I think this would need a sec-review. Opening a new tab from untrusted JS is something that could have upgraded a spoofing bug I filed a few years ago from sg:moderate to sg:high (as opposed to convincing the user to physically Ctrl+Click something).
You need to log in before you can comment on or make changes to this bug.