Portals should not have influence outside their rendered area

[jakearchibald]

My assumption is the portal will not be able to do the following:

• <a target="top">: Navigates portal.
• window.open: Returns null.
• el.requestFullscreen: Rejects.
• PresentationRequest: Various methods reject.

Any others I'm missing?

I don't know if playing sound is something we should prevent, or mute. It isn't clear to me what should happen if a page is activated and then reportaled.

[domenic]

Navigate parent frames: No-op.

Note that you cannot reach the parent frame to navigate it.

[jakearchibald]

Ah, of course, not sure what I was thinking. Updated the OP.

[lucasgadani]

window.open could also be used to navigate named windows, including subframes. While I think it would be ok to block the creation of new windows from inside a portal, we need to carefully specify the behavior of window.open so we don't break existing content.

[jakearchibald]

I don't think the portal should be able to navigate windows created outside the portal, but yeah, navigating frames within the portal is fine.

[domenic]

I did an audit in the HTML Standard trying to find places where something was restricted to a top-level browsing context. The ones I turned up that we're not already tracking are script-closable (what happens if you do window.close() inside a portal?) and allowing user agents to discard TLBCs at any time.

But I think other specs generally make more use of this restriction. E.g., payment request.

[domenic]

Fullscreen is an interesting case because iframes are allowed to use it via allow="" or allowfullscreen="". Do we want to allow portaled pages to get the same delegation, or do we just want to blanket-disallow it?

I'm hopeful that we can come up with a similar answer for all policy-controlled features, which is one of our remaining TODOs: https://github.com/WICG/portals#permissions-and-policies. /cc @clelland

[jakearchibald]

Do we want to allow portaled pages to get the same delegation, or do we just want to blanket-disallow it?

I think fullscreen would get really tricky with the "you can't interact with portal contents" rule.

[domenic]

Reopening to track the spec work necessary, but now the explainer covers the intended restrictions in https://github.com/WICG/portals#other-restrictions-while-portaled .

I guess on the design side we still need to answer "Do these restrictions also apply to same-origin portals?"