This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
At least when the execCommand() is run from script instead of being user-triggered.
No, probably not. The event is created and dispatched by execCommand(), so it's trusted.