Did Windows Update 2846071 Break The Handling Of Window.event.clientx Clienty?
Solution 1:
This link: http://social.technet.microsoft.com/Forums/windows/ja-JP/0985853c-0376-48d0-b748-c4259c0fc4a9/26356260321250312525124641252112512-kb2846071 implies that this was an intentional outcome.
It may be that this was changed to address the security concern here: http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx
Solution 2:
Argh! Ok so here is the issue Microsoft was trying to fix AND what they broke in the process.
Originally IE was leaking the event coordinates outside the browser viewport (1) (e.g. in a region that the webpage should not know about) as well as leaking the coordinates when the IE window didn't have the active focus (2) (e.g. when you are in another app, or on another monitor... and finally it leaked some keystrokes (3).
It looks like Microsoft fixed the leaking of coordinates... but did so by COMPLETELY removing all of them... including the USEFUL in viewport coordinates!
e.g. events are returning undefined
for X,Y coordinates that are most certainly 100% inside the browser viewport.
Solution 3:
This really looks like something Microsoft didn't intend releasing.
- Previously, they have stated they did not think there was any risk "outside the lab"
- The change is undocumented in the patch, which refers to "Memory Corruption" and "JIS Character Encoding Vulnerabilities"
- If clientX only returned coordinates within the page, the risk goes away
Is a patch for the patch on the way?
Further: The problem with clientX/clientY (and similar properties) is dependent on the event used to fire the javascript. I've found that onfocus returns incorrect coordinates, but onclick returns correct coordinates. Haven't tried other events.
Solution 4:
The javascript in the OP was broken by this Microsoft July 2013 update (this is even acknowledged in the "Known issues" section):
http://support.microsoft.com/kb/2846071/en-gb
But it was fixed in this August 2013 update:
http://support.microsoft.com/kb/2862772
I have confirmed that clients on which I install the Aug update no longer have the issue.
Post a Comment for "Did Windows Update 2846071 Break The Handling Of Window.event.clientx Clienty?"