I have a Chrome extension that needs to produce human-like mouse and keyboard behavior (specifically, generate events that have a <code>isTrusted</code> value of <code>true</code>). I can do everything I need except for scrolling with the <code>chrome.debugger</code> APIs. But it seems that the <code>Window.scroll()</code> method is sufficient for this purpose up to Chrome 52 and Firefox 48.0a1. This can be observed by attaching an event listener to the page as follows: <pre class="prettyprint"><code>document.addEventListener("scroll", function (event) { console.log("event trusted? " + event.isTrusted); }); </code></pre> and then running something like <code>window.scroll(0, 10);</code> in the developer console. This will log <code>event trusted? true</code> to the developer console. My question is: why is this the case? Shouldn't the <code>isTrusted</code> property be <code>false</code> in this case since the scroll event was clearly generated by a script?

This is by specification, per the DOM Living Standard: <blockquote> NOTE: <code>isTrusted</code> is a convenience that indicates whether an event is dispatched by the user agent (as opposed to using <code>dispatchEvent()</code>). The sole legacy exception is <code>click()</code>, which causes the user agent to dispatch an event whose <code>isTrusted</code> attribute is initialized to false. </blockquote> Also, in the DOM Level 3 Events Specification: <blockquote> <h3>3.4. Trusted events</h3> Events that are generated by the user agent, either as a result of user interaction, or as a direct result of changes to the DOM, are trusted by the user agent with privileges that are not afforded to events generated by script through the <code>createEvent()</code> method, modified using the <code>initEvent()</code> method, or dispatched via the <code>dispatchEvent()</code> method. The <code>isTrusted</code> attribute of trusted events has a value of <code>true</code>, while untrusted events have a <code>isTrusted</code> attribute value of <code>false</code>. </blockquote> Thus, <code>isTrusted</code> only reflects if the event has been dispatched or created artificially using <code>createEvent</code>, <code>initEvent</code>, or <code>dispatchEvent</code>. Now, look at the definition of <code>Window.scroll</code> per the CSSOM View Module Editor's Draft: <blockquote> When the <code>scroll()</code> method is invoked these steps must be run: [...] <ol start="2"> <li>If invoked with two arguments, follow these substeps:</li> </ol> [...] 12. Perform a scroll of the viewport to position, document’s root element as the associated element, if there is one, or null otherwise, and the scroll behavior being the value of the <code>behavior</code> dictionary member of options. </blockquote> Nowhere in the method is an artificial event created with <code>createEvent</code>, <code>initEvent</code>, or <code>dispatchEvent</code>, thus the value of <code>isTrusted</code> is <code>true</code>. Note that using <code>Window.scroll</code> still triggers the event handler because it integrates with the event loop, and a <code>scroll</code> event is emitted when a viewport or element is scrolled. This does not, however, use <code>createEvent</code>, <code>initEvent</code>, or <code>dispatchEvent</code>. Using the <code>isTrusted</code> event isn't a sure-fire way of detecting whether a script generated an event. It only detects if an event has been created and dispatched with <code>createEvent</code>, <code>initEvent</code>, or <code>dispatchEvent</code>.

Why does calling Window.scroll() give a trusted event?

I have a Chrome extension that needs to produce human-like mouse and keyboard behavior (specifically, generate events that have a isTrusted value of true). I can do everything I need except for scrolling with the chrome.debugger APIs.

But it seems that the Window.scroll() method is sufficient for this purpose up to Chrome 52 and Firefox 48.0a1. This can be observed by attaching an event listener to the page as follows:

document.addEventListener("scroll", function (event) { 
    console.log("event trusted? " + event.isTrusted);
});

and then running something like window.scroll(0, 10); in the developer console. This will log event trusted? true to the developer console.

My question is: why is this the case? Shouldn't the isTrusted property be false in this case since the scroll event was clearly generated by a script?

What triggers a scroll event?

The scroll event fires when the document view has been scrolled. For element scrolling, see Element: scroll event .

What are scroll events?

The onscroll event occurs when an element's scrollbar is being scrolled. Tip: use the CSS overflow style property to create a scrollbar for an element.

This is by specification, per the DOM Living Standard:

NOTE: isTrusted is a convenience that indicates whether an event is dispatched by the user agent (as opposed to using dispatchEvent()). The sole legacy exception is click(), which causes the user agent to dispatch an event whose isTrusted attribute is initialized to false.

Also, in the DOM Level 3 Events Specification:

3.4. Trusted events

Events that are generated by the user agent, either as a result of user interaction, or as a direct result of changes to the DOM, are trusted by the user agent with privileges that are not afforded to events generated by script through the createEvent() method, modified using the initEvent() method, or dispatched via the dispatchEvent() method. The isTrusted attribute of trusted events has a value of true, while untrusted events have a isTrusted attribute value of false.

Thus, isTrusted only reflects if the event has been dispatched or created artificially using createEvent, initEvent, or dispatchEvent. Now, look at the definition of Window.scroll per the CSSOM View Module Editor's Draft:

When the scroll() method is invoked these steps must be run:

[...]

If invoked with two arguments, follow these substeps:

[...]

12. Perform a scroll of the viewport to position, document’s root element as the associated element, if there is one, or null otherwise, and the scroll behavior being the value of the behavior dictionary member of options.

Nowhere in the method is an artificial event created with createEvent, initEvent, or dispatchEvent, thus the value of isTrusted is true. Note that using Window.scroll still triggers the event handler because it integrates with the event loop, and a scroll event is emitted when a viewport or element is scrolled. This does not, however, use createEvent, initEvent, or dispatchEvent.

Using the isTrusted event isn't a sure-fire way of detecting whether a script generated an event. It only detects if an event has been created and dispatched with createEvent, initEvent, or dispatchEvent.

Why does calling Window.scroll() give a trusted event?

Tags:

javascript

dom-events

Brian Kieffer

People also ask

1 Answers

3.4. Trusted events

Andrew Li

Recent Activity

Donate For Us

Why does calling Window.scroll() give a trusted event?

Tags:

javascript

dom-events

Brian Kieffer

People also ask

1 Answers

3.4. Trusted events

Andrew Li

Related questions

Recent Activity

Donate For Us