[chromium-dev] Re: Any plan to support Event.isTrusted attribute in Chrome?

Discussion:

Andrew Hintz

2016-01-17 17:42:12 UTC

isTrusted has now been implemented for Chrome Extensions:
https://www.chromestatus.com/feature/6461137440735232
https://code.google.com/p/chromium/issues/detail?id=334015
https://googlechrome.github.io/samples/event-istrusted/

Many thanks to dtapuska for doing the work!

Hi,
One of my colleague is trying to fix a XSS security issue in a chrome
extension, which needs to distinguish if a keyboard or mouse event is
actually fired by the user. Seems that Event.isTrusted
<http://www.w3.org/TR/DOM-Level-3-Events/#widl-Event-isTrusted> attribute
fits the requirement perfectly, but unfortunately Chrome doesn't support
it. So we are wondering if there is any plan to support it in Chrome in
near future? Or is there an alternate way to achieve it?
Thanks a lot.
--
- James Su

Ivan Castellanos

2018-11-24 23:14:16 UTC

Permalink

Any idea why is there no way to set isTrusted when using dispatchEvent from
a Chrome extension? Right now as a extensions developer I have to make the
ugliest workaround: modifying all JS scripts on runtime to transform
event.isTrusted to true, can't believe there is no way of doing this.

Post by Andrew Hintz
https://www.chromestatus.com/feature/6461137440735232
https://code.google.com/p/chromium/issues/detail?id=334015
https://googlechrome.github.io/samples/event-istrusted/
Many thanks to dtapuska for doing the work!

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a5cd0182-2ce7-49c1-911d-44a49073b428%40chromium.org.

Dave Tapuska

2018-11-26 19:21:46 UTC

Permalink

You can inject trusted events using the debugger interface.

See:
https://stackoverflow.com/questions/46619522/keyboard-simulation-using-a-chrome-extension?rq=1

Post by Ivan Castellanos
Any idea why is there no way to set isTrusted when using dispatchEvent
from a Chrome extension? Right now as a extensions developer I have to make
the ugliest workaround: modifying all JS scripts on runtime to transform
event.isTrusted to true, can't believe there is no way of doing this.

--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a5cd0182-2ce7-49c1-911d-44a49073b428%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a5cd0182-2ce7-49c1-911d-44a49073b428%40chromium.org?utm_medium=email&utm_source=footer>
.

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAHgVhZXxDsPJ5Z%3DnJdG%3D3FGnm13uwGvmSCk1Jt58b%3D-b_aXuxw%40mail.gmail.com.

Ivan Castellanos

2018-11-26 20:32:21 UTC

Permalink

Thanks for the response. I'm glad there is a way; pretty weird for it to be
on the "debugger" namespace since the intended use is to act on the behalf
of the user not help him debug anything or fetch any debugging info; plus
this means I need to ask the user for "debugging" permissions and that's
just gonna confuse the user.

Post by Dave Tapuska
You can inject trusted events using the debugger interface.
https://stackoverflow.com/questions/46619522/keyboard-simulation-using-a-chrome-extension?rq=1

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/33cfafc6-3a10-486c-b448-dae23b7de39a%40chromium.org.

Dave Tapuska

2018-11-26 23:31:40 UTC

Permalink

Well you are trying to impersonate a real user by injecting input. I
presume your extension isn't widely distributed because granting an
extension debugging access gives the extension all sorts of functionality
that puts the user at risk.

Dave

Post by Ivan Castellanos
Thanks for the response. I'm glad there is a way; pretty weird for it to
be on the "debugger" namespace since the intended use is to act on the
behalf of the user not help him debug anything or fetch any debugging info;
plus this means I need to ask the user for "debugging" permissions and
that's just gonna confuse the user.

Post by Dave Tapuska
You can inject trusted events using the debugger interface.
https://stackoverflow.com/questions/46619522/keyboard-simulation-using-a-chrome-extension?rq=1

Hi,
One of my colleague is trying to fix a XSS security issue in a
chrome extension, which needs to distinguish if a keyboard or mouse event
is actually fired by the user. Seems that Event.isTrusted
<http://www.w3.org/TR/DOM-Level-3-Events/#widl-Event-isTrusted> attribute
fits the requirement perfectly, but unfortunately Chrome doesn't support
it. So we are wondering if there is any plan to support it in Chrome in
near future? Or is there an alternate way to achieve it?
Thanks a lot.
--
- James Su

--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google
Groups "Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a5cd0182-2ce7-49c1-911d-44a49073b428%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a5cd0182-2ce7-49c1-911d-44a49073b428%40chromium.org?utm_medium=email&utm_source=footer>
.

--
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups
"Chromium-dev" group.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/33cfafc6-3a10-486c-b448-dae23b7de39a%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/33cfafc6-3a10-486c-b448-dae23b7de39a%40chromium.org?utm_medium=email&utm_source=footer>
.

--
--
Chromium Developers mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+***@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAHgVhZVePmipiPDCQORhwF0_VEnKCZyRgfLSE36Ja7hZdB1b%3DA%40mail.gmail.com.