Most active commenters
  • Sayrus(3)

←back to thread

A BBC navigation bar component broke depending on the external monitor

(www.joshtumath.uk)
293 points ulrischa | 18 comments | 18 Nov 24 15:28 UTC | HN request time: 1.053s | source | bottom
1. account42 ◴[18 Nov 24 16:38 UTC] No.42174070[source]
Why are websites getting mouse position in screen coordinates in the first place?
replies(8): >>42174192 #>>42174200 #>>42174236 #>>42174247 #>>42174483 #>>42174549 #>>42174581 #>>42177418 #
2. jazzyjackson ◴[18 Nov 24 16:48 UTC] No.42174192[source]
If you're reacting to click events, you might want to know the coordinates of where you're clicking. I mostly use this for click and drag stuff since you can get the delta between events and update position of the thing being dragged.

As for why they're checking for coordinates instead of checking for event.type is beyond me. Still I appreciate the write up, it is a good puzzle and relatable to come across code you didn't write and ask, why is it important that the click coordinate is nonzero? Why can't we just check that event.target is the button we want to activate? Why are we using JavaScript at all when a details/summary tag would do the same job?

replies(1): >>42175606 #
3. DCH3416 ◴[18 Nov 24 16:48 UTC] No.42174200[source]
Uh. So they can keep track of what the user is doing?

Why would you just send a document when you can generate a heat map of where the user is on your website. And then complain about the performance and wonder why it costs so much to run a modern website.

replies(2): >>42174285 #>>42174308 #
4. Sayrus ◴[18 Nov 24 16:51 UTC] No.42174236[source]
I've searched for reasons and couldn't find much. The fact that a website can know where a browser window is located (window.screenX/window.screenY) and that clicks position can be reported in that coordinate system sounds insane for a desktop. TOR Browser seems to spoof screenX and screenY to avoid fingerprinting.

Has anyone seen good use-cases for that feature? I'm thinking about dual window applications that interacts with each other (I think I saw a demo of something like this a while ago on HN but I wasn't able to find it again), or sites where behavior depends on their location on the virtual screen.

replies(3): >>42174288 #>>42175446 #>>42178604 #
5. Taylor_OD ◴[18 Nov 24 16:52 UTC] No.42174247[source]
Haha. Welcome to the world of analytics. Lots of sites are recording exactly what you are doing on their site including mouse movement at all times.
6. ◴[18 Nov 24 16:56 UTC] No.42174285[source]
7. diggan ◴[18 Nov 24 16:56 UTC] No.42174288[source]
The webkit report talks about it (https://bugs.webkit.org/show_bug.cgi?id=281430), while the article doesn't seem to, for some reason. Another HN comment with summary: https://news.ycombinator.com/item?id=42174177
8. Sayrus ◴[18 Nov 24 16:58 UTC] No.42174308[source]
The issue isn't so much the coordinate of the mouse within a page, but that the coordinates are relative to the virtual screen layout. It describes where your window is located on the screen(s) and the click is expressed in screen coordinates. Mapping those coordinates to your website's renderer coordinates requires additional calculation.

layerX[1] while non-standard is supported and returns a position relative to the top of the page or the top of the parent element. This makes coordinates positive only and 50,50 is the same for all users. For screenX, 3000,1567 is the same coordinate as 15,37 depending on where the window is located.

[1] https://developer.mozilla.org/en-US/docs/Web/API/MouseEvent/...

9. tshaddox ◴[18 Nov 24 17:12 UTC] No.42174483[source]
It’s useful for creating games where the graphics are composed of many small browser windows which interact with one another.

For example:

https://youtu.be/3al8prbfK5o?si=loNtyqIfMFkppm5V

replies(1): >>42180990 #
10. johnisgood ◴[18 Nov 24 17:18 UTC] No.42174549[source]
I use it for a JavaScript-free CAPTCHA, works well, but it only sends the x and y of mouse click upon clicking on it.
11. nine_k ◴[18 Nov 24 17:21 UTC] No.42174581[source]
Because this was easy to do during the 10 days allocated to develop JavaScript in 1995, and then backwards compatibility kicked in :(
12. willwade ◴[18 Nov 24 18:37 UTC] No.42175446[source]
Back in html 4 days we did this shenanigans all the time. I worked on very over the top sites that played with multiple windows talking to each other and moving in synchrony. I’ve tried looking for examples on archive.org (eg I know we did this a ton on flash heavy sites like design museum in London ) but alas the ones I was looking for a broken in that archive.
13. yarg ◴[18 Nov 24 18:52 UTC] No.42175606[source]
Relative coordinates sure, but why would you need the absolute position?

I'm with you on the second point - as unlikely as it is for the click to occur at the origin, it's still a legitimate value being abused as an indicator of something that might not actually be true - quite frankly the code was bad to begin with, and it was still bad after the fix.

14. grumple ◴[18 Nov 24 21:41 UTC] No.42177418[source]
Well, I used it for bounding box and reading order annotations, but that’s a pretty specialized use case.
15. thundermuffin ◴[18 Nov 24 23:56 UTC] No.42178604[source]
Maybe this[1] is the demo you were thinking of? It's what came to mind when reading this chain at least.

[1] https://x.com/wesbos/status/1727730566143803522

replies(1): >>42179224 #
16. Sayrus ◴[19 Nov 24 01:23 UTC] No.42179224{3}[source]
Not the one I was thinking one but definitely the vibe, thanks for sharing.
17. yarg ◴[19 Nov 24 08:03 UTC] No.42180990[source]
That's nowhere near useful enough to justify such a significant security flaw.
replies(1): >>42181770 #
18. robertlagrant ◴[19 Nov 24 10:05 UTC] No.42181770{3}[source]
I agree. Though that is cool.