[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Sun Sep 28 02:25:53 PDT 2008
On Sat, 27 Sep 2008, Jim Jewett wrote:
> uhm... that is exactly when involuntary actions are *most* likely.
It's not about merely clicking something accidentally - it's about
clicking at a very specific place, as intended by the attacker, to trigger
a very specific functionality on a targeted page. So I do not quite see
how random "frustration" / wrong window focus clicks could apply (and it's
a problem that no application is really designed to handle [1]).
> Many programs become unresponsive during launch and/or setup. I
> typically switch to another program (or another page), but the mouse
> events (and even keyboard keys) don't always go to the right place.
That's odd, and I would be willing to say that this is a problem that
needs to be addressed by your window manager or OS vendor. Window focus
management and message queues should be independent of any particular
application's responsiveness to messages sent to it.
I honestly do not recall any situation where I would end up sending click
events to the wrong application because the focus switch operation I just
executed seemed to work, but in reality did not (if the application is not
responsive, it would very likely not redraw itself, which means I would
have nothing to click on).
Cheers,
/mz
[1] Well, except for http://www.bitboost.com/pawsense/
More information about the whatwg
mailing list