The best approach we've come up with for this problem is to add a
function to the JS API which allows web apps to request the use of
special keys.
> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
>
--
Caleb Eggensperger
www.calebegg.com
I thought the original reason was hung renderers, not malicious pages.
Also, the user could always use the close button.
On Wed, Mar 30, 2011 at 10:45 AM, Caleb Eggensperger <cale...@gmail.com> wrote:
I thought the original reason was hung renderers, not malicious pages.Hung renderers was a primary problem, but malicious apps were also discussed, and even if they hadn't been they'd be in scope here anyway.
Also, the user could always use the close button.UI can never rely on the mouse as the sole way of doing something.PK
--
I'd actually prefer to remove ctrl-[a-z] from reserved accelerator list and give them to web pages. For closing tab, the user can use ctrl-F4 instead.
在 2011年3月30日 上午10:49,Peter Kasting <pkas...@google.com>写道:
On Wed, Mar 30, 2011 at 10:45 AM, Caleb Eggensperger <cale...@gmail.com> wrote:
I thought the original reason was hung renderers, not malicious pages.Hung renderers was a primary problem, but malicious apps were also discussed, and even if they hadn't been they'd be in scope here anyway.But a malicious app can always hook window.onbeforeunload to prevent its window from being closed. Intercepting ctrl-w won't help for such case.
Some platforms (e.g., Chrome OS) don't have Fn keys on some hardware,
so the only available shortcut keys are the standard modifiers (Ctrl,
Alt, Shift). Regardless, for an example app that provides VNC-like
functionality (<cough>Chromoting<ahem>), _all_ such keys -- including
Fn and modifiers for it -- are valid for the application, and there's
nothing left to leave "un-hookable".
> If a web app does choose to disable some/all shortcuts, it might help to
> reflect it in the UI.
Permissions infobar, perhaps, as suggested.
> The Application Shortcut feature of Chrome brings up a
> web app in a more application-like frame, predisposing the user to expect it
> to behave like a native application more than like a web page.
This doesn't exist in Chrome OS, as the window manager is very different.
It also fits in nicely with the idea of apps as packages of
permissions: a fancy webapp (like the 280 North stuff) would
definitely want the "intercept all keys" permission, as they use Ctl-W
to close "windows" within the page.
The way to move forward on this is:
1) write a more concrete proposal, in the form of what the API would
look like (dev.chromium.org has similar proposals); run this by
chromium-dev to see if there are any objections
2) implement this for Chrome under some experimental prefix
3) see if you can get any other browser vendors interested
On Wed, Mar 30, 2011 at 2:39 PM, Wez <w...@chromium.org> wrote:Some platforms (e.g., Chrome OS) don't have Fn keys on some hardware,
> If we identify (possibly even standardise) a small set of shortcuts
> sufficient to provide easy get-out from a broken or malicious app, would
> that address both the security/stability and web-app shortcut requirements?
> If so then an API could be provided to disable all non-essential shortcuts,
> leaving only a small set un-hookable by the app or plugin.
so the only available shortcut keys are the standard modifiers (Ctrl,
Alt, Shift). Regardless, for an example app that provides VNC-like
functionality (<cough>Chromoting<ahem>), _all_ such keys -- including
Fn and modifiers for it -- are valid for the application, and there's
nothing left to leave "un-hookable".
> If a web app does choose to disable some/all shortcuts, it might help toPermissions infobar, perhaps, as suggested.
> reflect it in the UI.
This doesn't exist in Chrome OS, as the window manager is very different.
> The Application Shortcut feature of Chrome brings up a
> web app in a more application-like frame, predisposing the user to expect it
> to behave like a native application more than like a web page.
Has any progress been made on developing a prototype API for this?
Passionate is perhaps putting it a little strongly; interested might be more the mark. I'll take a look.Did anyone enter a bug for this? I don't see one, searching for "special keys".
http://crbug.com/32787 is the real issue, which you marked as WontFix
rather than leaving it open in search of an appropriate/useful answer.
Since that was marked as WontFix, at least one other related issue has
already been opened in its wake, http://crbug.com/84288 (which deals
with Chromoting, an issue I specifically pointed out in the comments
for 5496, which naustin subsequently copied to the comments of 32787).
I would recommend reopening 32787 so that it isn't lost forever in the
mail list noise, and it's likely that 84288 should be merged into it.
I would recommend reopening 32787 so that it isn't lost forever in themail list noise