focus-without-user-activation feature policy
#406
Comments
This was referenced Oct 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WebKittens
@annevk
Title of the proposal
focus-without-user-activationfeature policyURL to the spec
whatwg/html#4585. The spec PR needs to be updated to reflect default value of
self.URL to the spec's repository
https://github.com/whatwg/html
Issue Tracker URL
No response
Explainer URL
https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/focus-without-user-activation.md
TAG Design Review URL
No response
Mozilla standards-positions issue URL
mozilla/standards-positions#1080
WebKit Bugzilla URL
No response
Radar URL
No response
Description
The proposed feature policy
focus-without-user-activationis used to prevent programmatic focus in iframe without user activation. The default value of the policy isselfwhich is disabled for third-party context.This issue is discussed during TPAC 2024 in webappsec and whatwg meeting.
The issue was resolved with proposed resolution:
RESOLVED: The default value of focus-without-user-activation feature policy should be self. Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe).
Webkit already requires user gesture for x origin iframes to steal focus.
The text was updated successfully, but these errors were encountered: