Passive and active attacks via X11. Is Wayland any better?
Bill Spitzak
spitzak at gmail.com
Fri Feb 17 12:05:30 PST 2012
Kristian Høgsberg wrote:
>> 1) Are you planning to support on-screen keyboard apps? If so, how this
>> is going to be implemented, so that a malicious/compromised app couldn't
>> act as such "on-screen keyboard" and inject keystrokes to other apps?
>
> We can restrict access to functionality on a per-application basis.
> An on-screen keyboard would be part of the core ui and launched by the
> compositor in a way that gives it access to the "input event
> injecting" interface.
I think a much easier way is that clients directly talk to the on-screen
keyboard application.
* Clients that decide not to talk to it cannot possibly receive events.
* If the client knows it is talking to an on-screen keyboard it can also
restrict the keys to text input and not have them trigger shortcuts.
* The api can allow information relevant to on-screen keyboards (such as
it's position) to be communicated.
More information about the wayland-devel
mailing list