focus-without-user-activation feature policy
#406
Labels
from: Microsoft
Proposed, edited, or co-edited by Microsoft.
position: support
topic: web apis
Spec relates to web APIs (entry points for script)
venue: WHATWG HTML Workstream
Comments
This was referenced Oct 1, 2024
|
This seems reasonable and I would suggest we resolve this as "position: support" one week from now. The one thing this really needs to succeed is good test coverage. |
annevk
added
topic: web apis
|
Given our supportive position, there's now a bug tracking the WebKit implementation for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WebKittens
@annevk
Title of the proposal
focus-without-user-activationfeature policyURL to the spec
whatwg/html#4585. The spec PR needs to be updated to reflect default value of
self.URL to the spec's repository
https://github.com/whatwg/html
Issue Tracker URL
No response
Explainer URL
https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/focus-without-user-activation.md
TAG Design Review URL
No response
Mozilla standards-positions issue URL
mozilla/standards-positions#1080
WebKit Bugzilla URL
https://bugs.webkit.org/show_bug.cgi?id=282951
Radar URL
No response
Description
The proposed feature policy
focus-without-user-activationis used to prevent programmatic focus in iframe without user activation. The default value of the policy isselfwhich is disabled for third-party context.This issue is discussed during TPAC 2024 in webappsec and whatwg meeting.
The issue was resolved with proposed resolution:
RESOLVED: The default value of focus-without-user-activation feature policy should be self. Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe).
Webkit already requires user gesture for x origin iframes to steal focus.
The text was updated successfully, but these errors were encountered: