From gbhackers.com
The Web Platform is incredibly powerful, but regrettably, malicious websites will do all in their capacity to misuse it.
To prevent such exploitation, blocking actions that weren’t accompanied by a “User Gesture” is one of the weakest (but easiest to implement) defenses.
Gestures are a weak primitive because, although it is easy to determine whether a user has clicked or pressed a key, they do not suit the design objective of clearly conveying a user request well.
A more certain method of deceiving users is gesture-jacking, which eliminates the need for accurate window position, precise click timing, and the random nature of the user’s display settings.