'Did windows update 2846071 break the handling of window.event.clientX clientY?

Did windows update http://support.microsoft.com/?kbid=2846071 break the handling of window.event.clientX and clientY? It seems that Windows 7 machines using IE 9 or 10 now return something that looks like the window position (top left corner) rather than the mouse position within the window. The numbers look accurate, but may be negative.

Or is that a "fix" and I should really be using something else for the mouse position.

I was using it in window.onbeforeunload to detect a user leaving the page without logging out and giving them the boot, but I'm disabling that today until I figure this out.

javascriptinternet-explorerdom-events


Solution 1:[1]

This link: http://social.technet.microsoft.com/Forums/windows/ja-JP/0985853c-0376-48d0-b748-c4259c0fc4a9/26356260321250312525124641252112512-kb2846071 implies that this was an intentional outcome.

It may be that this was changed to address the security concern here: http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx

Solution 2:[2]

Argh! Ok so here is the issue Microsoft was trying to fix AND what they broke in the process.

Originally IE was leaking the event coordinates outside the browser viewport (1) (e.g. in a region that the webpage should not know about) as well as leaking the coordinates when the IE window didn't have the active focus (2) (e.g. when you are in another app, or on another monitor... and finally it leaked some keystrokes (3).

It looks like Microsoft fixed the leaking of coordinates... but did so by COMPLETELY removing all of them... including the USEFUL in viewport coordinates!

e.g. events are returning undefined for X,Y coordinates that are most certainly 100% inside the browser viewport.

Solution 3:[3]

This really looks like something Microsoft didn't intend releasing.

  • Previously, they have stated they did not think there was any risk "outside the lab"
  • The change is undocumented in the patch, which refers to "Memory Corruption" and "JIS Character Encoding Vulnerabilities"
  • If clientX only returned coordinates within the page, the risk goes away

Is a patch for the patch on the way?

Further: The problem with clientX/clientY (and similar properties) is dependent on the event used to fire the javascript. I've found that onfocus returns incorrect coordinates, but onclick returns correct coordinates. Haven't tried other events.

Solution 4:[4]

The javascript in the OP was broken by this Microsoft July 2013 update (this is even acknowledged in the "Known issues" section):

http://support.microsoft.com/kb/2846071/en-gb

But it was fixed in this August 2013 update:

http://support.microsoft.com/kb/2862772

I have confirmed that clients on which I install the Aug update no longer have the issue.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 EricLaw
Solution 2 scunliffe
Solution 3
Solution 4 John Gilmer

Related Questions

React Router with optional path parameter

How to dynamically update google recaptcha sitekey?

How to dynamically update google recaptcha sitekey?

Remove duplicate in a string - javascript

Remove duplicate in a string - javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Find an element in DOM based on an attribute value

Redirecting html page with javascript

Find an element in DOM based on an attribute value

Find an element in DOM based on an attribute value

Redirecting html page with javascript

How to find x and y coordinates of a button while using keyboard navigation?

How to find x and y coordinates of a button while using keyboard navigation?