Prevent programmatic focus in iframe

[marian-r]

Resubmitting an issue from w3c/webappsec#543

I would like to propose a way to restrict iframe from programmatically setting focus on any of its inputs. Restricting would mean that the .focus() calls inside the iframe would have no effect. I am proposing that it could be achieved with a new feature policy or a sandbox flag, not sure which one suits more to this case:

sandbox:
<iframe src="ad.html" sandbox="allow-focus-calls"><iframe>

feature policy:
<iframe src="ad.html" allow="focus-calls"><iframe>

(The name of the flag is just an example. Feel free to propose a better name)

I am a Software Engineer working on advertising security for a house of large online publishers (Yahoo, Tumblr, HuffPost, TechCrunch, AOL to name a few). The reason behind this proposal is that it gives a way for publishers to improve the security of visitors by restricting the ability for (malicious) ads to programmatically steal focus without users noticing.

Example:

<html>
<body>
<h1>Top page</h1>
<iframe src="ad.html"><iframe>
</body>
</html>

<html>
<body>
<p>Iframe</p>
<input id="textInput" type="text">
<script>
document.getElementById('textInput').focus();
</script>
</body>
</html>

The iframe in the example 'steals' focus from the top page as soon as it loads.

[dveditz]

Good summary of the options, and why feature-policy is probably a better option than sandbox (namely less web compat issues) is in the original issue at w3c/webappsec#543 (comment) (which I've closed in favor of this one).

[marian-r]

Thanks @dveditz ...has this feature also been accepted or what is the process from now?

[frivoal]

This is very similar to what we added in the spatial navigation specification to avoid iframe highjacking the focus: https://drafts.csswg.org/css-nav-1/#policy-feature through the the events defined in that specification.

Our feature policy blocks some events that can be used when the user attempts to move the focus to cancel the default move, and focus something else instead. This is intentional and useful in the context of spatial navigation, but dangerous when done by non trusted iframes. This is different from what is proposed here, but there is no contradiction, and both effects together would be needed to achieve the full effect.

Because our events are new, we disallow by default in non trusted iframes, as that is safer and there is no existing content to be compatible with. I don't know if the same would be practical on disabling the .focus() method. If it is, that's great, and we can probably combine the two feature policies. If not, I wonder if that means we should keep the two separate (so that the spatial navigation one can disallow by default), or if it is better to combine both.

[marian-r]

Thanks @frivoal for bringing this up. I haven't fully read the CSS spatial navigation spec, but based on what I read I have a question: Would tabindex="-1" not be enough to prevent spatial navigation into malicious iframes? Is the navigation-override feature policy needed?

In terms of preventing .focus() we were thinking of having it allowed by default not to break backward compatibility as per the discussion: w3c/webappsec#543 (comment). However, it might be a good idea to have both cases controlled with one feature policy, just it would need to be allowed by default. What do you think about that?

[frivoal]

In our case, we're not try to prevent the focus from going to the iframe, but rather to prevent the iframe from trapping the focus of it goes there, and never letting it leave. Spatial navigation would naturally find its way out if the user was just navigating, but spatial navigation also emits events that let the page author time which element to go to when the user wants to go in a particular direction. But an evil iframe could use these events to prevent the focus from ever returning to the rest of the page. With the feature policy, we turn off these events inside non trusted iframes by default, with an opt-in.

[mustaqahmed]

In Chrome we are planning to add a feature policy for this. FYI: @ehsan-karamad @clelland.

We are proposing allow-focus-without-user-activation to make it obvious to devs that user interaction with the iframe would still work, and this seems in-line with other existing FP names. @marian-r, @frivoal: wdyt?

[ehsan-karamad]

Just adding a minor point to @mustaqahmed 's comment where the policy name (we are proposing) is focus-without-user-activation. All suggestions welcome!

[marian-r]

@ehsan-karamad @mustaqahmed thanks, name sounds good to me 👍 Please keep us posted about the progress.

[ehsan-karamad]

I added a PR for an explainer. I am trying to address the following issues with it:

• disable use of autofocus, element.focus, and window.focus (when policy is disabled).
• make sure focus logic runs as much as possible; it just does not lead to changing the focusable area (i.e., not targeted for user input).

All suggestions welcome!

[craigfrancis]

The current explainer suggests automatic focus will be blocked in the top-level document as well as framed content.

Should it be made explicit that it will only effect framed content? or is the intention to block all focus attempts without user activation?

The current implementation in Chrome Beta (75.0.3770.80) seems to only effect framed content.

[ehsan-karamad]

To clarify, focus is blocked when focus-without-user-activation is disabled in a document, and the default feature allowlist is * which means all documents are allowed to use focus by default. However, if the feature is disabled for a document, regardless of being top-level or in a subframe, focus shouldn't work.

Should it be made explicit that it will only effect framed content? or is the intention to block all focus attempts without user activation?

I personally prefer what the document says (extra mile), i.e., disable focus in all sandboxed frames and do not make the main frame an exception. In Chrome we do not do that today and only sandboxed subframes are blocked. WDYT?

The current implementation in Chrome Beta (75.0.3770.80) seems to only effect framed content.

I believe you are right.

[craigfrancis]

Personally I’d prefer if it worked for everything (i.e. including the top-level document as well), only because the feature policy name does not imply it’s limited to framed content.

But is there a valid case for focus-without-user-activation only working on framed content?

Maybe a page that frames something on the current domain, where the framed content should not change focus? I doubt that’s useful though, as something on the same-domain you don’t trust (e.g. user supplied content), should use sandbox without allow-same-origin, which should mean ‘self’ no longer applies.

[ehsan-karamad]

It think the feature policy name could be debated. To apply the feature to top-level means that if user clicked and opened a link from such a <iframe> then the opened content would likely not be able to use programmatic focus without user activation...which sounds OK. But it also seems strange to have the feature disabled for the whole page. In any case deferring judgement to @clelland.

[clelland]

I think that for consistency, making it applicable to the top-level document makes sense. It's never going to be the default situation - you'd have to explicitly opt in to that via a header (even in popups, I believe, since the policy should be reset in that case). I don't see a use case for it, but I think it makes reasoning about the feature easier, if it's not special, and works the same way that other features do.

[marian-r]

@ehsan-karamad @clelland what are the current plans with this new feature policy?

[clelland]

I'd like to get this standardized; the explainer needs to be updated, and an actual HTML spec change written, I think. It's currently experimental in Chrome, but hasn't actually shipped in any browser.

[marian-r]

Thanks @clelland. I don't want to put pressure, just wanted to know whether there is any rough timeline on when we could expect any movement?

[josephrocca]

Hey @clelland sorry for the ping, just wanted to know if there's any update/timeline on this feature?

(Also wondering if, in the meantime, there's currently any hacky workaround to prevent an external/cross-site iframe from grabbing focus? My use case is rogue/buggy third-party ads, fwiw)

[clelland]

No status update, but there is more and more support for the feature, so I think (barring major bugs, or finding out that making this the default on the web breaks a lot of sites) that we could probably be able to ship this soon. (no specific timeline though)

[JoeAzar]

We too (YT Video Processing) would love to see this feature implemented.

[SHISME]

Still not work for chrome122 , has any update?

<iframe allow="focus-without-user-activation 'none' " />

[josephrocca]

has any update?

No (public) movement from Chrome in quite a while, it seems:

• https://issues.chromium.org/issues/40095111
• https://groups.google.com/a/chromium.org/g/blink-dev/c/pnUiTrLHHmw

Recently I've been getting more user reports of ads calling window.focus() at very "convenient"-seeming times which causes the mobile keyboard to close mid-typing which reveals the (anchored/sticky) ad underneath, which the user then accidentally taps.

I don't know if this is deliberate, but I'm pretty sure this exploit is actually technically achievable via some intersection observer trickery (it wouldn't result in a 100% accurate forced-click, but it'd be "good enough").

[bozghiyy]

Dealing with same issue, would love an option to disable this in iframes. I do not see a use case for ads to be able to steal focus.
I tried different workarounds but nothing worked. Did anyone has an alternative solution until this gets concluded?

[josephrocca]

This is tangential, but for those interested: I just noticed while doing some cross-browser testing that Opera seems to have implemented a user agent intervention for this. This error shows up in DevTools when a rogue advert tries to steal focus:

However, it doesn't seem to be 100% effective. I could be wrong, but I think they may only be adding a handler after DOMContentLoaded - and some ads steal focus before that (i.e. during the initial synchronous execution of JS as the page is parsed).

[josephrocca]

Did anyone has an alternative solution until this gets concluded?

@bozghiyy No, there is nothing at all that can be done to stop this in the general case.¹ I've tried literally everything. I'm surprised that companies who heavily rely on the health of the online advertising ecosystem (like Google) haven't given this more attention. If not spec work, then at least a targeted intervention for advert iframes (which IIUC, Chromium already detects/labels), which I assume could be pushed to production a lot faster.

If anyone knows if it's possible to sponsor work around this issue, please let me know.

¹ There are narrow cases where it can be prevented - e.g. if you can predict when the iframe is about to steal focus, then you can add display:none; to the iframe temporarily.

[siliu1]

I am going to discuss this issue at TPAC 2024 next week in Web Application Security WG meeting.

Here is a brief recap of the issue:
focus-without-user-activation is a new feature policy that can be used to block programmatic focus changes that are not triggered through user activation. The motivation behind the change is to provide better security for websites that embed third party contents.

However, the issue is left open with some unanswered questions. I want to go through all open questions during the meeting and hopefully bring the issue to a resolution:

1. what should be default value? * vs self? There is discussion about the default value here Feature Policy: focus-without-user-activation whatwg/html#4585 (comment). The proposed default value is self. However, will the default value self be web compatible?

   Proposed solution: Update the spec PR to change the default value to self. We will try out the implementation in Chromium and report back if there are web compat issues.

2. Should we still allow programmatically set focus from parent frame into nested frames even though the nested frame has focus-without-user-activation policy set to none?

   Proposed solution: We should allow focus transition from parent frame to inner frames programmatically and update the spec PR to reflect that.

[clelland]

In case I can't attend the meeting in person, these are my opinions:

1. Since this is about reducing existing abuse, self seems to be the better choice here. Autofocus, whether programmatic or declarative, then becomes a powerful feature that must be delegated from the top frame. Subframes cannot "steal" focus without their embedder's consent. Users can always choose to click in the subframe, which would either focus a field directly, or would activate the frame, allowing it to use JS methods to change the focussed element at that point.

   That said, I know of one example where this currently fails, as implemented: Embedding a Google Doc inside of an iframe with this mechanism enabled currently can't click into the content area of the document and focus there. It will require a bit more investigation to see whether that is an implementation bug in Chrome, a change that Google Docs could make, or something else. Embedding the same document with <iframe allow="focus-without-user-activation"> works without any problems.

2. I think that pushing focus down from the parent into the subframe should work. Doing that shoudn't grant the subframe the ability to start setting focus by itself though, unless setting focus in that way would automatically activate the frame. I don't feel super strongly about this, though, and could probably be convinced the other way.

[siliu1]

We discussed this issue during TPAC 2024 webappsec WG group meeting. Minutes: https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-23-TPAC-Minutes.md#permission-policy-autofocus.

This topic was also discussed during TPAC 2024 in WHATWG meeting. Minutes: whatwg/meta#326 (comment).

The proposed solution is accepted:

RESOLVED: The default value of focus-without-user-activation feature policy should be self. Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe).

We should use whatwg/html#4326 from now on to keep track of the html spec PR update.