Contact emails
ke...@chromium.org, rby...@chromium.org
Spec
http://www.w3.org/TR/DOM-Level-3-Events/#trusted-events
Summary
Event.isTrusted is an attribute that is true when the event was generated by a user action, and false when the event was created or modified by script, or dispatched via dispatchEvent.
Motivation
This is primarily intended to be used by extensions. Password Alert wants to know whether a given event originated from a script running in the main world, or if it came from the user, and we see this as a reasonable thing for an extension to want to know. We expect it to have limited usefulness on the open web, which is why it had not been implemented to date, because scripts should be able to achieve the same result with using custom attributes.
Compatibility Risk
We don't expect any compatibility problems. Firefox and Internet Explorer implement Event.isTrusted.
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
OWP launch tracking bug
https://code.google.com/p/chromium/issues/detail?id=334015
Link to entry on the feature dashboard
https://www.chromestatus.com/features/6461137440735232
Requesting approval to ship?
Yes
because scripts should be able to achieve the same result with using custom attributes.
Hmm, out of curiosity what does this mean for the android WebView (or any embeddings in an environment where input events can be modified or sent synthetically), and Chrome Custom Tabs?
Chatted with Andrew Grieve offline: there isn't really a way to distinguish between programmatically generated input events and user generated input on Android. I was thinking if that was possible, we could toggle that bit based on whether the input was generated by the user or programmatically.
Right, the attribute will be marked as Unforgeable, but scripts could still do the same with a differently named attribute.
isTrusted does not really convey any kind of security guarantee.
On Mon, Jun 22, 2015 at 11:37 PM, Ken Buchanan <ke...@chromium.org> wrote:isTrusted does not really convey any kind of security guarantee.You keep repeating that, but why not?For example, a script that clicks on the "Purchase" button (or whatever button it is that can cost the user some money without even entering any payment details). If the handler is within a self evaluating anonymous function, third party scripts cannot call the handler by themselves, so isTrusted will be meaningful here.
(IMHO, isTrusted is a bad feature because it will confuse too many people into thinking it has some security value.)
On 6/22/15 2:01 PM, Adam Barth wrote:
> For example, the attacker can add an isTrusted getter to the
> MouseEvent prototype that always returns true.
The isTrusted property is specified to be a non-configurable own
property on Event objects. So if you just do event.isTrusted you will
get the right value no matter what someone has done with
MouseEvent.prototype.... as long as "event" is an actual Event instance.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
I'm leaning towards thinking that we should do this, but have some questions.First, I take it https://dom.spec.whatwg.org/#dom-event-istrusted is what you'll try to implement, not http://www.w3.org/TR/DOM-Level-3-Events/#trusted-events?
Per spec, https://dom.spec.whatwg.org/#concept-event-fire is the only place that sets isTrusted to true, but in Blink I don't think there is a common code path for firing events that is taken for all internally created events but never for script-created events. How will isTrusted be implemented? I strongly doubt that all specs actually refer to "fire an event named e" when firing events, so to implement it pedantically would result in some pretty confusing mess.
On Mon, Jun 29, 2015 at 8:14 AM, Philip Jägenstedt <phi...@opera.com> wrote:I'm leaning towards thinking that we should do this, but have some questions.First, I take it https://dom.spec.whatwg.org/#dom-event-istrusted is what you'll try to implement, not http://www.w3.org/TR/DOM-Level-3-Events/#trusted-events?The latter is defined in terms of http://www.w3.org/TR/dom/ which is just a snapshot of the former, so the semantics should be the same. I'm not aware of any relevant differences, but please let me know if I've missed something!
Per spec, https://dom.spec.whatwg.org/#concept-event-fire is the only place that sets isTrusted to true, but in Blink I don't think there is a common code path for firing events that is taken for all internally created events but never for script-created events. How will isTrusted be implemented? I strongly doubt that all specs actually refer to "fire an event named e" when firing events, so to implement it pedantically would result in some pretty confusing mess.It's a good point that this is going to take some care, but from initial experience with identifying MouseEvents dispatched from script, I don't expect it to be a huge issue. EventTarget::dispatchEvent is (AFAIK) the only script entrypoint for dispatching events, so we can focus on ensuring we always set isTrusted to false there and that we never call it internally (a few fixes for that were needed here). We should probably take some extra steps in review to minimize the risk of mistakes (eg. rename some methods / add comments to clarify the different paths).
On Mon, Jun 29, 2015 at 2:55 PM, Rick Byers <rby...@chromium.org> wrote:On Mon, Jun 29, 2015 at 8:14 AM, Philip Jägenstedt <phi...@opera.com> wrote:I'm leaning towards thinking that we should do this, but have some questions.First, I take it https://dom.spec.whatwg.org/#dom-event-istrusted is what you'll try to implement, not http://www.w3.org/TR/DOM-Level-3-Events/#trusted-events?The latter is defined in terms of http://www.w3.org/TR/dom/ which is just a snapshot of the former, so the semantics should be the same. I'm not aware of any relevant differences, but please let me know if I've missed something!What the UI Events spec says seems mostly superfluous on top of DOM, so I'm wondering if anything in it will inform implementation. In particular, this bit looks like something we might regret: "Most untrusted events should not trigger default actions, with the exception of the click event. This event always triggers the default action, even if the isTrusted attribute is false (this behavior is retained for backward-compatibility)."The way it's phrased in the UI Events spec assumes that default actions are a feature of the event and its event target, which is how it's actually implemented with defaultEventHandler(). However, I think Anne's ambition is that default actions should always be taken by the code that dispatches the event. This is the topic of a long-winded spec bug:
Now, the exemption for click events was implemented in https://codereview.chromium.org/894913002/ but I wonder if adding isTrusted would change anything around this? It would be nice to have use counters to see if this case is actually required for web compat. (Note that the click() method is different, as the default action could be run by click() itself.)Per spec, https://dom.spec.whatwg.org/#concept-event-fire is the only place that sets isTrusted to true, but in Blink I don't think there is a common code path for firing events that is taken for all internally created events but never for script-created events. How will isTrusted be implemented? I strongly doubt that all specs actually refer to "fire an event named e" when firing events, so to implement it pedantically would result in some pretty confusing mess.It's a good point that this is going to take some care, but from initial experience with identifying MouseEvents dispatched from script, I don't expect it to be a huge issue. EventTarget::dispatchEvent is (AFAIK) the only script entrypoint for dispatching events, so we can focus on ensuring we always set isTrusted to false there and that we never call it internally (a few fixes for that were needed here). We should probably take some extra steps in review to minimize the risk of mistakes (eg. rename some methods / add comments to clarify the different paths).Setting isTrusted in dispatchEvent() would be observably different from what the spec says, though. The simplest thing would be if isTrusted has the correct value from time the event is created and never changes, but that is also the most complicated fix because there's no split between internal and external ways to create events...
Philip
LGTM3, with the recognition that this doesn't solve a security problem
between scripts in the same page, but it's already shipped elsewhere
and doesn't seem broken or confusing enough to try to change the spec
and all other browsers.
Philip