Thoughts on how to determine if click was initiated by user

[fernfrost]

I have been playing with an idea, based on your project, to get around the problem of knowing if a click was initiated by the user or not.

The basic idea is this:

A native application listens for mouse clicks and blocks them from being sent to browser. On click, the native application sends a click event with coordinates via native messaging to browser extension. The extension then triggers a click event at received coordinates and decorates the event with a randomly generated, one-time, guid/token. The extension blocks all click events and only if the event has a matching guid/token is it allowed to execute.

I'd be interested to hear your thoughts on this.

Kind regards

[schomery]

It is possible to detect if a click is trusted by using the e.isTrusted property of the MouseEvent. Note that almost all the popups that are originated from untrusted events are already blocked by the internal popup blocker of your browser. To test run window.setTimeout(() => window.open(), 1000) from a page script. To trick the browser and bypass the internal popup blocker, popups are requested just after user interaction. For instance, when a user clicks on a play button, the script opens a popup instead of allowing the media to be played.