[Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)

[Michal Zalewski]

On Sun, 11 Feb 2007, pdp (architect) wrote:

> this is a design problem that is not easy to fix.

That argument would work for a patch deferred by a month or two - not for
seven years.

And it's not really that much of an issue: disallow script-assisted
focusing on file input fields, or a) prevent event target from being
changed in onKeyDown (this is what MSIE does) + b) prevent scripts from
reading file input field value (really no reason for them to).

/mz