keydown: ignore untrusted keyevents

cmcaine · cmcaine · commit 48cedc058bb0 · 2017-11-09T06:01:26.000Z
Ref #24.
diff --git a/src/keydown_content.ts b/src/keydown_content.ts
@@ -5,11 +5,15 @@ import * as msgsafe from './msgsafe'
 import {isTextEditable} from './dom'
 
 function keyeventHandler(ke: KeyboardEvent) {
+    // Ignore JS-generated events for security reasons.
+    if (! ke.isTrusted) return
+
     // Bad workaround: never suppress events in an editable field
     // and never suppress keys pressed with modifiers
     if (! (isTextEditable(ke.target as Node) || ke.ctrlKey || ke.altKey)) {
         suppressKey(ke)
     }
+
     Messaging.message("keydown_background", "recvEvent", [msgsafe.KeyboardEvent(ke)])
 }
 

Original file line number	Diff line number	Diff line change
`@@ -5,11 +5,15 @@ import * as msgsafe from './msgsafe'`
`5`	`5`	`import {isTextEditable} from './dom'`
`6`	`6`
`7`	`7`	`function keyeventHandler(ke: KeyboardEvent) {`
	`8`	`+ // Ignore JS-generated events for security reasons.`
	`9`	`+ if (! ke.isTrusted) return`
	`10`	`+`
`8`	`11`	`// Bad workaround: never suppress events in an editable field`
`9`	`12`	`// and never suppress keys pressed with modifiers`
`10`	`13`	`if (! (isTextEditable(ke.target as Node) \|\| ke.ctrlKey \|\| ke.altKey)) {`
`11`	`14`	`suppressKey(ke)`
`12`	`15`	`}`
	`16`	`+`
`13`	`17`	`Messaging.message("keydown_background", "recvEvent", [msgsafe.KeyboardEvent(ke)])`
`14`	`18`	`}`
`15`	`19`