Re: Firefox focus stealing vulnerability (possibly other browsers)

[Michal Zalewski <lcamtuf () dione ids pl>]

On Tue, 13 Feb 2007, Andreas Beck wrote:

> Let scripts and form parser handle upload fields just as usual form
> fields. Prefilling them with VALUE, changing them from script, etc. pp.
>
> BUT: Warn the user about uploading files.

The problem here is that a majority of users find browser warnings
impossible to understand, far too frequent, perceive them as roadblocks
(see dancing hamsters, or "reject an invalid certificate"?), and above
all, are not sure who is to be trusted (the author of the webpage, who
tells us to click "yes", or the author of a browser, who is a whiny
geek?).

Otherwise, we wouldn't have *millions* of users running attached EXE files
or clicking to install ActiveX controls despite big, honking, sometimes
repeated warnings that say "YOUR COMPUTER WILL BE OWNED" and default to
"cancel".

Adding warnings that pop up during normal activity (such as uploading your
new baby photos) further blurs the line and conditions users into clicking
"yes" on all such notices.

So, although it's a good solution from a technical standpoint, I do not
think it's optimal as far as users are concerned - whenever we can avoid
giving a non-expert user a choice without impacting functionality, we
should go for it.

In this particular case, preventing scripts from reading .value of such
input fields, moving focus to or away from these fields, and in any way
influencing the delivery of keystroke events while this field is in focus,
seems to be a good solution that wouldn't significantly interfere with
legitimate web functionality.

/mz