Feature Policy: focus-without-user-activation

[siliu1]

focus-without-user-activation is a new feature policy that can be used to block programmatic focus changes that are not triggered through user activation (explainer).

The motivation behind this feature policy is to provide better security for websites that embed third party contexts.

This change makes modifications to the following focus API:

• autofocus
• element.focus(options)
• window.focus()

The WHATWG resolved to add a new feature policy, focus-without-user-activation, to control whether third-party iframes can take focus programmatically. (w3c/webappsec-permissions-policy#273 (comment))

The original PR contains all prior discussions regarding the feature policy. However, since I don't have editor access to it, I've created this new PR.

• At least two implementers are interested (and none opposed):
  • Chromium.
  • Gecko: focus-without-user-activation feature policy mozilla/standards-positions#1080
  • WebKit: focus-without-user-activation feature policy WebKit/standards-positions#406
• Tests are written and can be reviewed and commented upon at:
  • wpt/feature-policy/experimental-features/focus-without-user-activation-disabled-tentative.html
  • wpt/feature-policy/experimental-features/focus-without-user-activation-enabled-tentative.sub.html
• Implementation bugs are filed:
  • Chromium: https://issues.chromium.org/issues/371112534
  • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1930537
  • WebKit: https://bugs.webkit.org/show_bug.cgi?id=282951
• MDN issue is filed: Add focus-without-user-activation permissions policy mdn/content#37532
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

/acknowledgements.html ( diff )
/infrastructure.html ( diff )
/interaction.html ( diff )
/interactive-elements.html ( diff )
/popover.html ( diff )

[zcorpan]

There are more APIs that call the focusing steps. For example showModal() on dialog. See https://html.spec.whatwg.org/multipage/interaction.html#focusing-steps (click on "focusing steps" to see callers).

[siliu1]

There are more APIs that call the focusing steps. For example showModal() on dialog. See https://html.spec.whatwg.org/multipage/interaction.html#focusing-steps (click on "focusing steps" to see callers).

This is a good catch. I added extra steps in dialog focusing steps and popover focusing steps to respect the new focus-without-user-activation policy.

[sanketj]

There are more APIs that call the focusing steps. For example showModal() on dialog. See https://html.spec.whatwg.org/multipage/interaction.html#focusing-steps (click on "focusing steps" to see callers).

This is a good catch. I added extra steps in dialog focusing steps and popover focusing steps to respect the new focus-without-user-activation policy.

There seem to be more APIs than just the above ones that reference "focusing steps".

[#focusing-steps](https://html.spec.whatwg.org/multipage/interaction.html#focusing-steps)

Referenced in:
[2.1.4 DOM trees](https://html.spec.whatwg.org/multipage/infrastructure.html#dom-trees:focusing-steps)
[4.10.20.2 Constraint validation](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#constraint-validation:focusing-steps)
[4.10.20.3 The constraint validation API](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#the-constraint-validation-api:focusing-steps)
[4.11.3.7 Using the accesskey attribute to define a command on other elements](https://html.spec.whatwg.org/multipage/interactive-elements.html#using-the-accesskey-attribute-to-define-a-command-on-other-elements:focusing-steps)
[4.11.4 The dialog element](https://html.spec.whatwg.org/multipage/interactive-elements.html#the-dialog-element:focusing-steps) [(2)](https://html.spec.whatwg.org/multipage/interactive-elements.html#the-dialog-element:focusing-steps-2)
[6.6.2 Data model](https://html.spec.whatwg.org/multipage/interaction.html#data-model:focusing-steps)
[6.6.4 Processing model](https://html.spec.whatwg.org/multipage/interaction.html#focus-processing-model:focusing-steps) [(2)](https://html.spec.whatwg.org/multipage/interaction.html#focus-processing-model:focusing-steps-2) [(3)](https://html.spec.whatwg.org/multipage/interaction.html#focus-processing-model:focusing-steps-3) [(4)](https://html.spec.whatwg.org/multipage/interaction.html#focus-processing-model:focusing-steps-4)
[6.6.5 Sequential focus navigation](https://html.spec.whatwg.org/multipage/interaction.html#sequential-focus-navigation:focusing-steps)
[6.6.6 Focus management APIs](https://html.spec.whatwg.org/multipage/interaction.html#focus-management-apis:focusing-steps) [(2)](https://html.spec.whatwg.org/multipage/interaction.html#focus-management-apis:focusing-steps-2)
[6.6.7 The autofocus attribute](https://html.spec.whatwg.org/multipage/interaction.html#the-autofocus-attribute:focusing-steps)
[6.8.2 Making entire documents editable: the designMode getter and setter](https://html.spec.whatwg.org/multipage/interaction.html#making-entire-documents-editable:-the-designmode-idl-attribute:focusing-steps)
[6.12 The popover attribute](https://html.spec.whatwg.org/multipage/popover.html#the-popover-attribute:focusing-steps) [(2)](https://html.spec.whatwg.org/multipage/popover.html#the-popover-attribute:focusing-steps-2)
[7.2.6.8 Ongoing navigation tracking](https://html.spec.whatwg.org/multipage/nav-history-apis.html#ongoing-navigation-tracking:focusing-steps)
[7.2.6.10.4 Scroll and focus behavior](https://html.spec.whatwg.org/multipage/nav-history-apis.html#navigate-event-scroll-focus:focusing-steps)
[7.4.6.4 Scrolling to a fragment](https://html.spec.whatwg.org/multipage/browsing-the-web.html#scrolling-to-a-fragment:focusing-steps)
[8.1.7.3 Processing model](https://html.spec.whatwg.org/multipage/webappapis.html#event-loop-processing-model:focusing-steps)

Were you able to go through all of them and confirm that the ones you are updating herewith are the only ones that need updates?

[sanketj]

• At least two implementers are interested (and none opposed):

  • Chromium.
  • Gecko: focus-without-user-activation feature policy mozilla/standards-positions#1080
  • WebKit: focus-without-user-activation feature policy WebKit/standards-positions#406

• Tests are written and can be reviewed and commented upon at:

  • wpt/feature-policy/experimental-features/focus-without-user-activation-disabled-tentative.html
  • wpt/feature-policy/experimental-features/focus-without-user-activation-enabled-tentative.sub.html

• Implementation bugs are filed:

  • Chromium: https://issues.chromium.org/issues/371112534
  • Gecko: TBA
  • WebKit: TBA

• MDN issue is filed: …

• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

Could you mark the entries in the checklist that have been completed via [x]? For the ones that are not complete, could you try to complete them? (Ex. filing implementation bugs on Gecko and WebKit)

[annevk]

This looks reasonable, but it looks like you got in a race with the bot when updating OP. Each time you make an edit (including checking a checkbox) the bot will run. So it's best to click edit and change it all in one go and then wait for the bot to update before making another change.

Though also, if you filed bugs against Gecko/WebKit those need to be linked.

[annevk]

I found some more substantial issues. Please also create an MDN issue.

[annevk]

Only a couple editorial nits left. @zcorpan want to review as well?

[siliu1]

@annevk I addressed all your feedback. Please let me know if we can merge this PR. Thank you!

[sanketj]

@annevk Just checking if you had any more feedback on this one?

@zcorpan Were you planning on reviewing this as well?

[annevk]

This looks great, I appreciate your diligence!

One thing I noticed just now that doesn't impact the change directly is that this is a Permission Policy, not a Feature Policy. I'll fix that up in the commit message.

[annevk]

@siliu1 @sanketj there should also have been a PR to rename the tests away from .tentative. I haven't blocked on that this time but please make sure that is there next time around. And please rename the tests away from .tentative as soon as possible. Thanks!

[marian-r]

Thanks @siliu1 and @annevk for your contributions. Shall we consider original proposals #4326 and w3c/webappsec-permissions-policy#273 as done now or is there anything else to be done?

[siliu1]

Thanks @siliu1 and @annevk for your contributions. Shall we consider original proposals #4326 and w3c/webappsec-permissions-policy#273 as done now or is there anything else to be done?

Yeah, I think we can close the original issues #4326 and w3c/webappsec-permissions-policy#273.

[sanketj]

@siliu1 @sanketj there should also have been a PR to rename the tests away from .tentative. I haven't blocked on that this time but please make sure that is there next time around. And please rename the tests away from .tentative as soon as possible. Thanks!

Thanks @annevk! This should be taken care of now. Any thoughts on updating the PR template to remind people to mark their tests non-tentative?

[annevk]

There is a reminder in a source comment: https://github.com/whatwg/html/blob/main/PULL_REQUEST_TEMPLATE.md?plain=1