This article will introduce a security BUG in IE, which can be used to track users' system mouse positions. For more information about the private features of MS $, see DHTML in IE. It is interesting to see event. screenX and event. screenY, which can be used to obtain system-level mouse coordinates.
I think there is nothing at all. The coordinates on the screen are nothing more than the coordinates in the client area of the browser + the browser window coordinates + the client area offset.
IE itself can use the event and screen objects to obtain information related to various screen and form positions.
However, the real strange thing hasn't started yet! According to the standard DOM model definition,Only when an event is triggered can the parameters related to the event be obtained from the event.
That is to say, only when the mousemove is triggered and such a type of mouseXXX mouse event is triggered can the mouse-related parameters be obtained. However,In IE, after any event is triggered, you can get event. screenX and event. screenY, even when the page is minimized!
Of course, you may say that this depends on an event. However,The event here can be any onxxx callback function, not limited to UI events.So we can create it manually!
The simplest example is to set an invalid src for a new Image. Its onerror event is immediately triggered!
So we can get event. screenX in onerror, and then continue to set invalid src, so we can track the mouse pointer at the user's screen level in real time. Because the generation of onerror is not limited to any UI message, the event can still be triggered when the page is minimized or inactive!
Unfortunately, it is not possible to obtain the mouse or keyboard key that has been pressed. If the global button is captured, isn't it possible to listen for password input...
In fact, the trigger of non-UI events such as onerror does not involve any mouse or keyboard parameters in the browser form, so you cannot obtain various mouse and keyboard information. As for event. screenX, the only explanation is that it is a Getter of the event. Internally, the GetCursorPos Win API is called directly, which is not provided by the event trigger.
It would be interesting if such tracking code is implanted on a page and the coordinates are transmitted back in real time through socket. io...