Regarding focus transfer

11 views
Skip to first unread message

AnonymousLurker

unread,
Dec 28, 2010, 9:54:10 PM12/28/10
to Belay Research
The Belay web site for 9-24, Friday, proposes this:

Side discussion: click/key jacking (and accidental clicking on
popups): popup windows, since they do not result from a user action,
should not have focus until they are clicked on. In order to allow
popups that _do_ result from user actions (e.g. launching an
application), then a simple rule works: if you have focus, then you
can transfer it. If you do not, then only the user can give it to you.

https://sites.google.com/site/belayresearchproject/september-on-site/friday-september-24th

I thought I'd point out that there seems to be some risks with this
policy as well, at least on the legacy web. In particular, there's
still the risk that a malicious site redirects keystrokes to a victim
web page, defeating trusted path. See strokejacking:

http://lcamtuf.blogspot.com/2010/10/attack-of-monster-frames-mini.html
http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html

An alternative policy to consider might be: if window A currently has
focus, then window A can request to transfer focus to window B; if
window B accepts the focus (or also requests it), then the focus
transfer happen, otherwise nothing happens. Obviously, this is
incompatible with the legacy web.

-- David Wagner
Reply all
Reply to author
Forward
0 new messages