open-ui icon indicating copy to clipboard operation
open-ui copied to clipboard

Published 20 hours ago verified publisher icon openui

[invokers] Should invokers check for user gesture?

Open keithamus opened this issue 2 years ago • 4 comments
trafficstars

Currently the invoker implementations don't check for a user gesture (i.e. navigator.userActivation.isActive). Given invokers do multiple things, some of which require a user gesture, below is a list of things that do/don't:

  • ❌ Popover APIs (showPopover, popovertarget) do not require a user gesture.
  • ❌ Dialog APIs (showModal(), open) do not require a user gesture.
  • ❌ Details APIs (open) do not require a user gesture.
  • ✅ Fullscreen APIs (requestFullscreen()) do require a user gesture.
  • ✅ ShowPicker APIs (showPicker()) do require a user gesture.

We have a few options with invokers:

  • Make handling of invoke (event dispatch + default behaviour) require a user gesture. The downside is that this is more restrictive than the APIs it aims to replace like popovertarget.
  • Make handling of invoke not require a user gesture. This is quite unlikely as it opens up security issues.
  • Make some default behaviours require a user gesture. This might be confusing for users as they effectively have to internalise the list above.

I imagine the majority use case of invokers will be JS free button access but it is possible to synthesize these events (and cause them to be dispatched via synthesized clicks). https://github.com/openui/open-ui/pull/942 added some detail about the security implications and our considerations but this is one area which we should definitely provide an answer for.

keithamus avatar Nov 12 '23 17:11 keithamus

When we discussed this last week we said that invokers requires a trusted event which would solve this user activation requirement. As it turns out we were wrong and currently they don't require trusted events.

I personally think we should make them require trusted events for everything as this is the simplest solution, and I don't think synthesising events will be that common. If you're manually trying to invoke something using JS I would imagine you'd just call .showPopover on the popover itself.

Or you'd call .showPicker() which already requires a user activation.

lukewarlow avatar Nov 12 '23 17:11 lukewarlow

To further add to this I think the HTMLMediaElement actions should largely already be covered by autoplay policy. In my chromium implementation I've currently got some user activation checks but I'm not sure they're actually needed provided the underlying autoplay policy is checked. It's worth keeping this in mind when speccing.

lukewarlow avatar Nov 13 '23 22:11 lukewarlow

The Open UI Community Group just discussed [invokers] Should invokers check for user gesture?, and agreed to the following:

  • RESOLVED: Require user gesture for advanced APIs otherwise don't require them.
The full IRC log of that discussion <masonf_> q?
<masonf_> ack mason
<keithamus> Luke_W: last week we spoke on security related to invokers. We mentioned they rely on trusted events, but currently the impls to not- they work with synthetic events. We've added gesture checks for the actions, but do we want to move this up to invokers generally? That invokers only work with gesture checks, or do we just keep them for the specific
<keithamus> user APIs? The only extra context to provide is popovertarget doesn't require this.
<keithamus> q+
<masonf_> ack keith
<masonf_> q+
<masonf_> ack dbaron
<keithamus> keithamus: gesture check is a security measure, so adding for the general case seems fine because invokers are a user gesture anyway, right?
<Luke_W> q+
<keithamus> dbaron: I'd say the other way; click events should dispatch click even if they're not a trusted source, but the behaviour should not be triggered unless a secure click has happened.
<dbaron> (things that require user activation or trusted events still should, but just using invokers shouldn't break things that don't require that)
<masonf_> ack mason
<keithamus> masonf_: I'm in agreement. all of the specific checks already have gesture checks, so this should not be an end run around that, but we don't need the extra checks.
<keithamus> q+
<masonf_> ack luke
<keithamus> Luke_W: form controls - the spec says activation requires trusted events, so .click won't submit. So there is precedent for requiring trusted input. Having said that I don't think invokers counts in the same way.
<masonf_> ack keith
<masonf_> q+
<masonf_> keithamus: agree with Luke. We check if preventDefault has been called and then we invoke. So we could make event get dispatched but behavior won't happen.
<keithamus> Luke_W: Having invokers always have a trusted check is nice, as you don't have to remember whether each API.
<keithamus> masonf_: users doing things in an "above board" way will get the gesture check okay so unless you're trying to subvert it you won't see the friction
<Luke_W> Proposed Resolution: Require user gesture for advanced APIs otherwise don't require them.
<keithamus> +1
<Luke_W> RESOLVED: Require user gesture for advanced APIs otherwise don't require them.

css-meeting-bot avatar Nov 16 '23 20:11 css-meeting-bot

There hasn't been any discussion on this issue for a while, so we're marking it as stale. If you choose to kick off the discussion again, we'll remove the 'stale' label.

github-actions[bot] avatar May 30 '24 00:05 github-actions[bot]