On Thu, Dec 20, 2012 at 8:08 AM, Maciej Stachowiak <[email protected]> wrote: > On Dec 18, 2012, at 6:44 AM, Anne van Kesteren <[email protected]> wrote: >> The specification is modeled after Gecko and Chrome and very much >> intents to have keyboard access working. As per usual, everything that >> is not restricted is expected to work. > > That seems like a bad basis to make a decision about a security issue.
I'm not sure I follow. How specifications are written has no influence on how decisions regarding them are made. >> I am willing to add some wording to the security section to make the >> risks of keyboard access more clear. Does anyone have some suggested >> wording? > > What would be the point? Web developers can't protect themselves from > phishing attacks by other sites, and as you state the spec currently does not > allow UAs to limit keyboard access. So who is the audience for such as > security considerations warning? End users? I think the specification should state that certain keys should be protected, such as the key used by the user agent to fully exit fullscreen. > At minimum, I'd like the spec to explicitly allow not providing full keyboard > access, as requested in my original message on this thread: > >>> Despite both of these defenses having drawbacks, I think it is wise for >>> implementations to implement at least one of them. I think the spec should >>> explicitly permit implementations to apply either or both of these >>> limitations, and should discuss their pros and cons in the Security >>> Considerations section. > > As you point out, the spec does not currently allow this behavior. Are you > rejecting this request? If so, why? Safari has had this behavior since > forever and is unlikely to change in the foreseeable future, so it seems > pointless to disallow it. Allowing Safari's behavior is bad for a large number of use cases, such as games and presentations that need to respond to key input. > And given this difference in UA behavior, it seems useful to let web > developers feature-detect the difference in behavior somehow. Does Safari implement the standardized API already? http://trac.webkit.org/browser/trunk/Source/WebCore/dom/Document.idl suggests it is still prefixed. -- http://annevankesteren.nl/
