standards-positions icon indicating copy to clipboard operation
standards-positions copied to clipboard

Published 20 hours ago verified publisher icon WebKit

`focus-without-user-activation` feature policy

Open siliu1 opened this issue 1 year ago • 0 comments
trafficstars

WebKittens

@annevk

Title of the proposal

focus-without-user-activation feature policy

URL to the spec

https://github.com/whatwg/html/pull/4585. The spec PR needs to be updated to reflect default value of self.

URL to the spec's repository

https://github.com/whatwg/html

Issue Tracker URL

No response

Explainer URL

https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/focus-without-user-activation.md

TAG Design Review URL

No response

Mozilla standards-positions issue URL

https://github.com/mozilla/standards-positions/issues/1080

WebKit Bugzilla URL

No response

Radar URL

No response

Description

The proposed feature policy focus-without-user-activation is used to prevent programmatic focus in iframe without user activation. The default value of the policy is self which is disabled for third-party context.

This issue is discussed during TPAC 2024 in webappsec and whatwg meeting.

The issue was resolved with proposed resolution:

RESOLVED: The default value of focus-without-user-activation feature policy should be self. Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe).

Webkit already requires user gesture for x origin iframes to steal focus.

siliu1 avatar Oct 01 '24 19:10 siliu1