On Fri, Sep 28, 2012 at 7:00 PM, ANTONIO MANUEL AMAYA CALVO <[email protected]> wrote: > This one > > https://bugzilla.mozilla.org/show_bug.cgi?id=794407 > > isn't on any on the lists (or if it is I didn't see it), and it really should > be.
FWIW, relying on user actions should never be used as a security mechanism. The user might not have any idea that his/her action can cause something harmful to happen and might just be thinking he/she is clicking a link or scrolling a window. The "user action required" step should only be used to prevent APIs from being used to annoy the user. I.e. to prevent a API from opening dialogs every second. > As it stands now, any web page can use the 'dial' web activity from a script > and the dialer just places the call. That really should not be the case. If it is that's a separate bug and a bad one. No app should take any potentially harmful actions just in response to an activity. It's the responsibility of the dialer app to make sure that the user really wants to place the phonecall, for example by just prefilling the phone number but waiting for the user to press the 'dial' button. / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
