Is the "OS focus" check a viable security restriction for "send keys"? #77
Description
Because the sendKeys command enables clients to simulate arbitrary keyboard input, it is too powerful to satisfy security restrictions on some platforms. Some time ago, we attempted to make the command viable for those platforms by limiting its power. Specifically, we added a requirement that the application with OS focus be among some implementation-defined set of expected applications. Our thinking was that if AT Driver could only be used to send keyboard key presses to web browsers, then it could not be used to gain control over an entire system.
Here's the spec text:
- If the application that currently has OS focus (and so could act on simulated key presses from this API) is not one of the expected applications, then return an error with error code invalid OS focus state. Which applications are expected is implementation-defined.
However, this step was written with an outsider's understanding of the platform (specifically, my understanding). It's not clear if it is possible to implement or if it meaningfully reduces the associated risk. I'm seeking clarity on those points so we better understand the challenges before us and so we can confidently retain, modify, or remove that algorithm step.