dtap...@chromium.org https://www.w3.org/TR/uievents/#trusted-events According to the UI Events specification un-trusted events should not invoke the default action. 'click' is the only event that is a legacy permitted case. The isTrusted support was added in https://www.chromestatus.com/features/6461137440735232 which identifies trusted events from un-trusted events. We wish to prevent synthetic events from executing the default action.This feature has been implemented behind a runtime flag for some time the goal is to move it from a disabled runtime flag to a stable runtime flag.Other vendors are compliant with the spec and we wish to be more inter-operable with this request. There are a number of things that javascript can do to steal focus from the user by allowing synthetic events to execute the default action so there are security benefits with making this change. Issues such as 160471 and 423975 as solved by implementing this feature.Firefox: No public signals Edge: No public signals
Safari: No public signals Web developers: No signals We do believe there are some sites taking advantage of our dispatching of un-trusted events. We do know that some sites will actively cause a select to open by injecting a synthetic mouse event. Initially I proposed https://discourse.wicg.io/t/htmlselectelement-add-ability-to-show-option-list-programmatically/1035 to address the potential concerns of developers using the current feature. However since there are issues with iframe's distracting the user input with this feature. I believe it is in the user's best interest to disallow the execution of un-trusted events. Firefox and Edge both do not allow this behaviour.
The discourse hasn't had many requests other than when I first initially proposed it and no comments since identifying I may not pursue it. I want to propose we make this change now for M52. If there is enough feedback from the community once the change is made we can re-evaluate the discourse.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
I can certainly add a use counter. I'm not certain why we can't do this for all events. Am I missing something?This code (and like 235) could be modified so that a use counter is incremented when a default action is performed on an untrusted event. But we probably don't want to count click events because we know we will keep that behaviour.
How about I add the use counter for M52 and remove this in M53?
I think this breaks the undo support in the auto complete widget used by Rietveld.
https://github.com/esprehn/chromium-codereview/blob/master/ui/components/cr-user-autocomplete.html
I'm not sure if that works in Firefox today, but I tried many things to get it to work and this was the only way in Chrome. I don't think we should change this unless there's an alternative that isn't rebuild text input yourself.
--
I don't think it's acceptable to stop running execCommand against input and textarea. That completely breaks inserting text with the undo stack and was explicitly given as the workaround and a justification for this change.
So we need to either revert this default actions patch for textInput events or not change execCommand. Doing both breaks the web and leaves no workaround.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
var blob = new Blob([data], { type: contentType }); var url = urlCreator.createObjectURL(blob); link.setAttribute('href', url); // Set the download attribute (Supported in Chrome 14+ / Firefox 20+) link.setAttribute("download", filename); // Simulate clicking the download link var event = document.createEvent('MouseEvents'); event.initMouseEvent('click', true, true, window, 1, 0, 0, 0, 0, false, false, false, false, 0, null); link.dispatchEvent(event);
var downloadLink = angular.element('<a></a>');//create a new <a> tag element downloadLink.attr('href', url); downloadLink.attr('download', filename); downloadLink.attr('target', '_self'); downloadLink[0].click();//call click function
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.