'Did windows update 2846071 break the handling of window.event.clientX clientY?
Did windows update http://support.microsoft.com/?kbid=2846071 break the handling of window.event.clientX
and clientY
? It seems that Windows 7 machines using IE 9 or 10 now return something that looks like the window position (top left corner) rather than the mouse position within the window. The numbers look accurate, but may be negative.
Or is that a "fix" and I should really be using something else for the mouse position.
I was using it in window.onbeforeunload
to detect a user leaving the page without logging out and giving them the boot, but I'm disabling that today until I figure this out.
Solution 1:[1]
This link: http://social.technet.microsoft.com/Forums/windows/ja-JP/0985853c-0376-48d0-b748-c4259c0fc4a9/26356260321250312525124641252112512-kb2846071 implies that this was an intentional outcome.
It may be that this was changed to address the security concern here: http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx
Solution 2:[2]
Argh! Ok so here is the issue Microsoft was trying to fix AND what they broke in the process.
Originally IE was leaking the event coordinates outside the browser viewport (1) (e.g. in a region that the webpage should not know about) as well as leaking the coordinates when the IE window didn't have the active focus (2) (e.g. when you are in another app, or on another monitor... and finally it leaked some keystrokes (3).
It looks like Microsoft fixed the leaking of coordinates... but did so by COMPLETELY removing all of them... including the USEFUL in viewport coordinates!
e.g. events are returning undefined
for X,Y coordinates that are most certainly 100% inside the browser viewport.
Solution 3:[3]
This really looks like something Microsoft didn't intend releasing.
- Previously, they have stated they did not think there was any risk "outside the lab"
- The change is undocumented in the patch, which refers to "Memory Corruption" and "JIS Character Encoding Vulnerabilities"
- If clientX only returned coordinates within the page, the risk goes away
Is a patch for the patch on the way?
Further: The problem with clientX/clientY (and similar properties) is dependent on the event used to fire the javascript. I've found that onfocus returns incorrect coordinates, but onclick returns correct coordinates. Haven't tried other events.
Solution 4:[4]
The javascript in the OP was broken by this Microsoft July 2013 update (this is even acknowledged in the "Known issues" section):
http://support.microsoft.com/kb/2846071/en-gb
But it was fixed in this August 2013 update:
http://support.microsoft.com/kb/2862772
I have confirmed that clients on which I install the Aug update no longer have the issue.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | EricLaw |
Solution 2 | scunliffe |
Solution 3 | |
Solution 4 | John Gilmer |