HACKER Q&A
📣 docuru

Is isTrusted in DOM event reliable?


I'm curious about prevent spam bot submitting forms (well, beside using captcha).

Some DOM events, for example MouseEvent, or FormEvent contains a boolean, read-only property `isTrusted`. Basically, to see if the action was performed by the user, we check if `event.isTrusted` is `true`.

From what I saw, there is one case to bypass a form `submit` event. When the form has a submit button (which does nothing). If I click the button through JavaScript, the button's `click` event will have `isTrusted = false`. But when it bubble up, the form's `submit` event will have `isTrusted` became `true`.

Is there any other case, isTrusted not reliable?

  👤 phillipseamore Accepted Answer ✓
The isTrusted flag won't help out with that, it's primarily an indicator that the event follows a user gesture and can escalate privileges (like playing audio). A spam bot will usually not be using an actual browser (or running JS) - and if it were it could easily say all events are trusted.