annevk
commented
2 weeks ago This seems reasonable and I would suggest we resolve this as "position: support" one week from now. The one thing this really needs to succeed is good test coverage.
Closed siliu1 closed 1 week ago
annevk
commented
2 weeks ago This seems reasonable and I would suggest we resolve this as "position: support" one week from now. The one thing this really needs to succeed is good test coverage.
aprotyas
commented
3 days ago Given our supportive position, there's now a bug tracking the WebKit implementation for focus-without-user-activation: https://bugs.webkit.org/show_bug.cgi?id=282951.
WebKittens
@annevk
Title of the proposal
focus-without-user-activationfeature policyURL to the spec
https://github.com/whatwg/html/pull/4585. The spec PR needs to be updated to reflect default value of
self.URL to the spec's repository
https://github.com/whatwg/html
Issue Tracker URL
No response
Explainer URL
https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/focus-without-user-activation.md
TAG Design Review URL
No response
Mozilla standards-positions issue URL
https://github.com/mozilla/standards-positions/issues/1080
WebKit Bugzilla URL
https://bugs.webkit.org/show_bug.cgi?id=282951
Radar URL
No response
Description
The proposed feature policy
focus-without-user-activationis used to prevent programmatic focus in iframe without user activation. The default value of the policy isselfwhich is disabled for third-party context.This issue is discussed during TPAC 2024 in webappsec and whatwg meeting.
The issue was resolved with proposed resolution:
RESOLVED: The default value of focus-without-user-activation feature policy should be self. Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe).
Webkit already requires user gesture for x origin iframes to steal focus.