Jake Archibald goes much deeper on our previous report of CSS key logging.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
Jake shared many examples as well as ways to mitigate these types of attacks.