You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From discussion with @smaug---- in #336 and IRC it seems that basically any user-agent dispatched event is trusted.
A notable exception is click(), which is untrusted.
But postMessage()-resulting message events, mutation events (as long as we keep them around), need to be trusted.
It seems there's not really a simple rule here, such as the JavaScript stack being empty (mutation events fail that) or the user agent dispatching the event (click()).
The text was updated successfully, but these errors were encountered:
If click() is truly the one special case, perhaps the easiest thing to do here is to make the hooks provided to specifications default isTrusted to true and remove mentions of that attribute everywhere, except for around click().
It seems that's already more or less how things are setup. I cleaned up some of this in whatwg/html#1886 though as HTML does seems to sometimes mention "trusted" a bit too much.
From discussion with @smaug---- in #336 and IRC it seems that basically any user-agent dispatched event is trusted.
A notable exception is
click()
, which is untrusted.But
postMessage()
-resulting message events, mutation events (as long as we keep them around), need to be trusted.It seems there's not really a simple rule here, such as the JavaScript stack being empty (mutation events fail that) or the user agent dispatching the event (
click()
).The text was updated successfully, but these errors were encountered: