search

whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.16k stars 2.69k forks source link

Prevent programmatic focus in iframe #4326

Open marian-r opened 5 years ago

marian-r commented 5 years ago

Resubmitting an issue from https://github.com/w3c/webappsec/issues/543 and https://github.com/w3c/webappsec-feature-policy/issues/273

I would like to propose a way to restrict iframe from programmatically setting focus on any of its inputs. Restricting would mean that the .focus() calls inside the iframe would have no effect. I am proposing that it could be achieved with a new feature policy or a sandbox flag, not sure which one suits more to this case:

sandbox: <iframe src="ad.html" sandbox="allow-focus-calls"><iframe>

feature policy: <iframe src="ad.html" allow="focus-calls"><iframe>

(The name of the flag is just an example. Feel free to propose a better name)

I am a Software Engineer working on advertising security for a house of large online publishers (Yahoo, Tumblr, HuffPost, TechCrunch, AOL to name a few). The reason behind this proposal is that it gives a way for publishers to improve the security of visitors by restricting the ability for (malicious) ads to programmatically steal focus without users noticing.

Example:

<html>
<body>
<h1>Top page</h1>
<iframe src="ad.html"><iframe>
</body>
</html>
<html>
<body>
<p>Iframe</p>
<input id="textInput" type="text">
<script>
document.getElementById('textInput').focus();
</script>
</body>
</html>

The iframe in the example 'steals' focus from the top page as soon as it loads.

annevk commented 5 years ago

cc @whatwg/security

domenic commented 5 years ago

This appears to be a complete duplicate of the other two issues; it is probably best to centralize discussion, instead of spreading it into three places.

domenic commented 5 years ago

This has a (stalled?) pull request by @ ehsan-karamad in progress at https://github.com/whatwg/html/pull/4585.

rniwa commented 5 years ago

Note that WebKit and other browser engines now require user gesture for cross-origin iframe to steal focus: https://trac.webkit.org/changeset/248491

mustaqahmed commented 3 years ago

We have a similar behavior in Chrome since [M76].(https://www.chromestatus.com/feature/5179186249465856). Again drawing attention to our HTML PR https://github.com/whatwg/html/pull/4585.

annevk commented 3 years ago

None of that seems to actually state what Chrome ships? The PR also has some outstanding feedback.

siliu1 commented 1 month ago

More discussion in https://github.com/w3c/webappsec-permissions-policy/issues/273.