keydown: ignore untrusted keyevents

Ref #24.
tridactyl · Nov 9, 2017 · 48cedc058bb09b2a8ad898d8caa3455adc510b1e · 48cedc0
1 parent a0a29ae
commit 48cedc058bb09b2a8ad898d8caa3455adc510b1e
Showing with 4 additions and 0 deletions.

+4 −0 src/keydown_content.ts
diff --git a/src/keydown_content.ts b/src/keydown_content.ts
@@ -5,11 +5,15 @@ import * as msgsafe from './msgsafe'
 import {isTextEditable} from './dom'
 
 function keyeventHandler(ke: KeyboardEvent) {
+    // Ignore JS-generated events for security reasons.
+    if (! ke.isTrusted) return
+
     // Bad workaround: never suppress events in an editable field
     // and never suppress keys pressed with modifiers
     if (! (isTextEditable(ke.target as Node) || ke.ctrlKey || ke.altKey)) {
         suppressKey(ke)
     }
+
     Messaging.message("keydown_background", "recvEvent", [msgsafe.KeyboardEvent(ke)])
 }