> It's a shame they have a messy pile of API-specific hacks to propagate the "user gesture". Chrome solved this problem with a change to the spec
If Safari had changed the spec that comment would probably have begun with "It's a shame they had to change the spec..."
> Safari's approach means you have very specific codepaths, and if you do something async...tough luck
I'm no expert on it but this sounds more secure, no?
> APIs like clipboard (want to copy something
On a side note, I really wish non-explicit copy/pasting/clipboard snooping would die.
iOS 14 has exposed a bunch of apps that read your clipboard without any explicit paste action. It's creepy and we can only hope that it's not malicious. A bunch of big names including Discord are guilty of this.
> If Safari had changed the spec that comment would probably have begun with "It's a shame they had to change the spec..."
I don't follow. They are breaking the spec anyways. A simple timeout would be equally spec-breaking and a lot easier to understand and use.
The weird async-callback-chaining doesn't actually limit any nefarious behaviour. It just requires the code author to carefully stay inside their arbitrary happy-path. A simple timeout after a user gesture is just simpler. Furthermore this is something that you can't test without buying a thousand dollar device.
If Safari had changed the spec that comment would probably have begun with "It's a shame they had to change the spec..."
> Safari's approach means you have very specific codepaths, and if you do something async...tough luck
I'm no expert on it but this sounds more secure, no?
> APIs like clipboard (want to copy something
On a side note, I really wish non-explicit copy/pasting/clipboard snooping would die.
iOS 14 has exposed a bunch of apps that read your clipboard without any explicit paste action. It's creepy and we can only hope that it's not malicious. A bunch of big names including Discord are guilty of this.