mirrors/gecko-dev
1
0
Fork 1
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-11-10 13:18:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
gecko-dev/dom/webidl/InputEvent.webidl
Masayuki Nakano e28c807e5a Bug 1533989 - Make InputEvent.data and InputEvent.dataTransfer not expose clipboard data if user disables clipboard events r=smaug 
If user disables clipboard events, it means that they don't want to expose
clipboard data to web apps even if web apps cannot handle "paste" operation.
Therefore, they must not want to leak clipboard data with `InputEvent.data`
and `InputEvent.dataTransfer`.

This patch makes `InputEvent::GetData()` and `InputEvent::GetDataTransfer()`
returns empty string or new `DataTransfer` object which has only empty string
if:
- They are called by content JS.
- The event is a trusted event.
- `inputType` value is `insertFromPaste` or `insertFromPasteAsQuotation`.

The reason why we don't return null for both is, Input Events spec declares
`data` or `dataTransfer` shouldn't be null in the `inputType` values.  And
the reason why we don't return empty `DataTransfer` is, web apps may expect
at least one data is stored in non-null `dataTransfer` value.

Differential Revision: https://phabricator.services.mozilla.com/D25350

--HG--
extra : moz-landing-system : lando
2019-03-29 16:08:11 +00:00

42 lines
1.4 KiB
Text
Raw Blame History

/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/.
*/
[Constructor(DOMString type, optional InputEventInit eventInitDict)]
interface InputEvent : UIEvent
{
readonly attribute boolean isComposing;
[Pref="dom.inputevent.inputtype.enabled"]
readonly attribute DOMString inputType;
[NeedsCallerType, Pref="dom.inputevent.data.enabled"]
readonly attribute DOMString? data;
};
dictionary InputEventInit : UIEventInit
{
boolean isComposing = false;
DOMString inputType = "";
// NOTE: Currently, default value of `data` attribute is declared as empty
// string by UI Events. However, both Chrome and Safari uses `null`,
// and there is a spec issue about this:
// https://github.com/w3c/uievents/issues/139
// So, we take `null` for compatibility with them.
DOMString? data = null;
};
// https://w3c.github.io/input-events/#interface-InputEvent
// https://rawgit.com/w3c/input-events/v1/index.html#interface-InputEvent
partial interface InputEvent
{
[NeedsCallerType, Pref="dom.inputevent.datatransfer.enabled"]
readonly attribute DataTransfer? dataTransfer;
};
partial dictionary InputEventInit
{
DataTransfer? dataTransfer = null;
};
Reference in a new issue View git blame Copy permalink