惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Spread Privacy
Spread Privacy
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
The Last Watchdog
The Last Watchdog
SecWiki News
SecWiki News
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Secure Thoughts
WordPress大学
WordPress大学
Microsoft Security Blog
Microsoft Security Blog
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
V
Visual Studio Blog
Security Latest
Security Latest
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Cloudbric
Cloudbric
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
N
Netflix TechBlog - Medium
MyScale Blog
MyScale Blog
T
The Blog of Author Tim Ferriss
H
Hacker News: Front Page
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
AWS News Blog
AWS News Blog
AI
AI
G
GRAHAM CLULEY
IT之家
IT之家
P
Privacy & Cybersecurity Law Blog
L
Lohrmann on Cybersecurity
Last Week in AI
Last Week in AI
D
Docker
Recent Announcements
Recent Announcements
O
OpenAI News
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
S
Security @ Cisco Blogs
T
Troy Hunt's Blog
C
Check Point Blog
博客园 - 三生石上(FineUI控件)
A
About on SuperTechFans
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
N
News and Events Feed by Topic

Recent Commits to webappsec-permissions-policy:main

Add WebMCP link to features.md · w3c/webappsec-permissions-policy@c10c76d Add WebMCP link to features.md · w3c/webappsec-permissions-policy@10d8736 Add `monetization` feature (#571) · w3c/webappsec-permissions-policy@876a190 Add Permissions Policy for Digital Credentials Issuance (#573) · w3c/webappsec-permissions-policy@29efab0 Add proposed features from Chrome's Built-In AI APIs (#570) · w3c/webappsec-permissions-policy@4de8724 Replace `shared-autofill` with `autofill` and `manual-text` (#560) · w3c/webappsec-permissions-policy@6f3b837 Do not use request's window concept (#565) · w3c/webappsec-permissions-policy@20ab675 focus-without-user-activation: Add missing HTML closing quote in exam… · w3c/webappsec-permissions-policy@b5dde2c Merge pull request #559 from shhnjk/main · w3c/webappsec-permissions-policy@e9edeb5 Put PermissionsPolicyViolationReportBody/allowAttribute back · w3c/webappsec-permissions-policy@1c37e68 Update index.bs · w3c/webappsec-permissions-policy@7c8ed48 Nit · w3c/webappsec-permissions-policy@173adc5 add allow and src attribute to potential permissions policy violation · w3c/webappsec-permissions-policy@bb175d2 Add `ch-ua-high-entropy-values` feature (#558) · w3c/webappsec-permissions-policy@8430c86 Send reports for Permissions Policy violations in iframe to parent fr… · w3c/webappsec-permissions-policy@314ffc9 Add `storage-access` feature · w3c/webappsec-permissions-policy@c73ef39 Add 'deferred-fetch' as proposed feature · w3c/webappsec-permissions-policy@dedd81f Add mediasession feature · w3c/webappsec-permissions-policy@8ef8664 Clarify picture-in-picture shipping status · w3c/webappsec-permissions-policy@1d05f5e
[focus-without-user-activation] Add alternative solutions (#563) · w3c/webappsec-permissions-policy@298d386
ffiori · 2025-07-19 · via Recent Commits to webappsec-permissions-policy:main

@@ -11,13 +11,13 @@ Automatic focus could happen through:

1111

* Use of scripted focus such as `element.focus()` and `window.focus()`.

12121313

Automatic focus is potentially

14-

[problematic](https://github.com/w3c/webappsec-feature-policy/issues/273) since it provides bad

14+

[problematic](https://github.com/w3c/webappsec-permissions-policy/issues/273) since it provides bad

1515

embedded content with a tool to steal input focus from the top-level. The proposed feature provides

1616

a means for developers to block the use of automatic focus in nested contents.

17171818

Proposed Solution

1919

------------

20-

The proposed feature policy can be used to limit the use of automatic focus. Essentially, when the

20+

The proposed permissions policy can be used to limit the use of automatic focus. Essentially, when the

2121

policy is disabled in a document, scripted and automatic focus will only work if the focus has been

2222

initialized through user activation. This essentially means that `autofocus` will be disabled

2323

(unless a new element is inserted, with `autofocus`, as a result of user gesture). The scripted

@@ -32,13 +32,13 @@ In a nutshell:

3232

* Around step 4 of the [spec](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autofocus) for `autofocus` the algorithm should return if the policy `focus-without-user-activation` is disabled and the algorithm is not

3333

[triggered by user activation](https://html.spec.whatwg.org/multipage/interaction.html#triggered-by-user-activation).

3434

* Before starting [steps](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `element.focus(options)` the same verification for the policy and user activation should be performed.

35-

* Around step 2 of the the [spec](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `window.focus()` the same enforcement should be made (using the browsing context of the `window` itself to obtain the feature policy state.

35+

* Around step 2 of the [spec](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `window.focus()`, the same enforcement should be made (using the browsing context of the `window` itself to obtain the permissions policy state).

36363737

Using the Feature

3838

-------------

3939

This feature can be introduced with the HTTP headers. For instance,

4040

```HTTP

41-

Feature-Policy: focus-without-user-activation 'none'

41+

Permissions-Policy: focus-without-user-activation=()

4242

```

4343

would cause the use of automatic focus in the page (and nested contexts) to fail unless it

4444

has been triggered by user activation.

@@ -54,3 +54,34 @@ The Extra Mile

5454

-----------

5555

Automatic focus, in general, poses security concerns. It might be a good idea to disable this policy

5656

in all sandbox-ed frames (treat the policy as a sandbox flag).

57+58+

Alternative Solutions Considered

59+

-----------

60+

This section lists other possible solutions that were considered during the development of the proposal outlined in this explainer.

61+62+

1. **HTMLIFrameElement boolean attribute**: A new `disallowprogrammaticfocus` boolean attribute on the [HTMLIFrameElement](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement) was explored. When set, this attribute would prevent all nested iframes from taking input focus through script. An example implementation would look as follows:

63+64+

```html

65+

<!DOCTYPE html>

66+

<html>

67+

<head>

68+

<meta charset="utf-8">

69+

<title>iframe steal focus prevention</title>

70+

</head>

71+

<body>

72+

<iframe src=""

73+

disallowprogrammaticfocus>

74+

</iframe>

75+

</body>

76+

</html>

77+

```

78+79+

In this approach, the iframe would be unable to steal focus unless the user explicitly switches focus to that element.

80+81+

This approach was abandoned because it represents a heavier-weight solution compared to a permissions policy. Additionally, it would be easier for sites to adopt a new permissions policy if they are already using permissions policies to control other behaviors, rather than introducing a new HTML attribute.

82+83+

2. **Alternative policy naming**: An alternative policy name was considered: `disallow-programmatic-focus`. However, to maintain consistency with existing permissions policies, it is more appropriate to use positive polarity (where denying the policy disables the functionality) for backwards compatibility.

84+85+

3. **Sandbox flag approach**: The possibility of implementing this control as a [sandbox](https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/sandbox) flag was analyzed instead of a permissions policy.

86+87+

Adding this functionality to the sandbox would be potentially breaking, as it would immediately affect every sandboxed frame and require all sites to update their code if they needed to restore the functionality. In contrast, implementing this as a permissions policy is non-breaking: with a default allowlist of `'self'`, it provides an opt-in control mechanism that is enabled by default everywhere but can be selectively disabled when needed.