惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
LangChain Blog
月光博客
月光博客
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
宝玉的分享
宝玉的分享
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Last Week in AI
Last Week in AI
人人都是产品经理
人人都是产品经理
博客园_首页
T
Tailwind CSS Blog
P
Proofpoint News Feed
雷峰网
雷峰网
D
Darknet – Hacking Tools, Hacker News & Cyber Security
IT之家
IT之家
V
Vulnerabilities – Threatpost
阮一峰的网络日志
阮一峰的网络日志
C
CERT Recently Published Vulnerability Notes
Attack and Defense Labs
Attack and Defense Labs
S
Schneier on Security
Security Archives - TechRepublic
Security Archives - TechRepublic
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
云风的 BLOG
云风的 BLOG
WordPress大学
WordPress大学
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
博客园 - 叶小钗
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
S
SegmentFault 最新的问题
C
Cyber Attacks, Cyber Crime and Cyber Security
Google Online Security Blog
Google Online Security Blog
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
L
LINUX DO - 最新话题
Google DeepMind News
Google DeepMind News
P
Privacy International News Feed
I
InfoQ
F
Fortinet All Blogs
Vercel News
Vercel News
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Threatpost
T
Tenable Blog
B
Blog RSS Feed

Recent Commits to webappsec-permissions-policy:main

Add WebMCP link to features.md · w3c/webappsec-permissions-policy@c10c76d Add WebMCP link to features.md · w3c/webappsec-permissions-policy@10d8736 Add `monetization` feature (#571) · w3c/webappsec-permissions-policy@876a190 Add Permissions Policy for Digital Credentials Issuance (#573) · w3c/webappsec-permissions-policy@29efab0 Add proposed features from Chrome's Built-In AI APIs (#570) · w3c/webappsec-permissions-policy@4de8724 Replace `shared-autofill` with `autofill` and `manual-text` (#560) · w3c/webappsec-permissions-policy@6f3b837 Do not use request's window concept (#565) · w3c/webappsec-permissions-policy@20ab675 focus-without-user-activation: Add missing HTML closing quote in exam… · w3c/webappsec-permissions-policy@b5dde2c Merge pull request #559 from shhnjk/main · w3c/webappsec-permissions-policy@e9edeb5 Put PermissionsPolicyViolationReportBody/allowAttribute back · w3c/webappsec-permissions-policy@1c37e68 Update index.bs · w3c/webappsec-permissions-policy@7c8ed48 Nit · w3c/webappsec-permissions-policy@173adc5 add allow and src attribute to potential permissions policy violation · w3c/webappsec-permissions-policy@bb175d2 Add `ch-ua-high-entropy-values` feature (#558) · w3c/webappsec-permissions-policy@8430c86 Send reports for Permissions Policy violations in iframe to parent fr… · w3c/webappsec-permissions-policy@314ffc9 Add `storage-access` feature · w3c/webappsec-permissions-policy@c73ef39 Add 'deferred-fetch' as proposed feature · w3c/webappsec-permissions-policy@dedd81f Add mediasession feature · w3c/webappsec-permissions-policy@8ef8664 Clarify picture-in-picture shipping status · w3c/webappsec-permissions-policy@1d05f5e
[focus-without-user-activation] Add alternative solutions (#563) · w3c/webappsec-permissions-policy@298d386
ffiori · 2025-07-19 · via Recent Commits to webappsec-permissions-policy:main

@@ -11,13 +11,13 @@ Automatic focus could happen through:

1111

* Use of scripted focus such as `element.focus()` and `window.focus()`.

12121313

Automatic focus is potentially

14-

[problematic](https://github.com/w3c/webappsec-feature-policy/issues/273) since it provides bad

14+

[problematic](https://github.com/w3c/webappsec-permissions-policy/issues/273) since it provides bad

1515

embedded content with a tool to steal input focus from the top-level. The proposed feature provides

1616

a means for developers to block the use of automatic focus in nested contents.

17171818

Proposed Solution

1919

------------

20-

The proposed feature policy can be used to limit the use of automatic focus. Essentially, when the

20+

The proposed permissions policy can be used to limit the use of automatic focus. Essentially, when the

2121

policy is disabled in a document, scripted and automatic focus will only work if the focus has been

2222

initialized through user activation. This essentially means that `autofocus` will be disabled

2323

(unless a new element is inserted, with `autofocus`, as a result of user gesture). The scripted

@@ -32,13 +32,13 @@ In a nutshell:

3232

* Around step 4 of the [spec](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autofocus) for `autofocus` the algorithm should return if the policy `focus-without-user-activation` is disabled and the algorithm is not

3333

[triggered by user activation](https://html.spec.whatwg.org/multipage/interaction.html#triggered-by-user-activation).

3434

* Before starting [steps](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `element.focus(options)` the same verification for the policy and user activation should be performed.

35-

* Around step 2 of the the [spec](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `window.focus()` the same enforcement should be made (using the browsing context of the `window` itself to obtain the feature policy state.

35+

* Around step 2 of the [spec](https://html.spec.whatwg.org/multipage/interaction.html#dom-window-focus) for `window.focus()`, the same enforcement should be made (using the browsing context of the `window` itself to obtain the permissions policy state).

36363737

Using the Feature

3838

-------------

3939

This feature can be introduced with the HTTP headers. For instance,

4040

```HTTP

41-

Feature-Policy: focus-without-user-activation 'none'

41+

Permissions-Policy: focus-without-user-activation=()

4242

```

4343

would cause the use of automatic focus in the page (and nested contexts) to fail unless it

4444

has been triggered by user activation.

@@ -54,3 +54,34 @@ The Extra Mile

5454

-----------

5555

Automatic focus, in general, poses security concerns. It might be a good idea to disable this policy

5656

in all sandbox-ed frames (treat the policy as a sandbox flag).

57+58+

Alternative Solutions Considered

59+

-----------

60+

This section lists other possible solutions that were considered during the development of the proposal outlined in this explainer.

61+62+

1. **HTMLIFrameElement boolean attribute**: A new `disallowprogrammaticfocus` boolean attribute on the [HTMLIFrameElement](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#htmliframeelement) was explored. When set, this attribute would prevent all nested iframes from taking input focus through script. An example implementation would look as follows:

63+64+

```html

65+

<!DOCTYPE html>

66+

<html>

67+

<head>

68+

<meta charset="utf-8">

69+

<title>iframe steal focus prevention</title>

70+

</head>

71+

<body>

72+

<iframe src=""

73+

disallowprogrammaticfocus>

74+

</iframe>

75+

</body>

76+

</html>

77+

```

78+79+

In this approach, the iframe would be unable to steal focus unless the user explicitly switches focus to that element.

80+81+

This approach was abandoned because it represents a heavier-weight solution compared to a permissions policy. Additionally, it would be easier for sites to adopt a new permissions policy if they are already using permissions policies to control other behaviors, rather than introducing a new HTML attribute.

82+83+

2. **Alternative policy naming**: An alternative policy name was considered: `disallow-programmatic-focus`. However, to maintain consistency with existing permissions policies, it is more appropriate to use positive polarity (where denying the policy disables the functionality) for backwards compatibility.

84+85+

3. **Sandbox flag approach**: The possibility of implementing this control as a [sandbox](https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/sandbox) flag was analyzed instead of a permissions policy.

86+87+

Adding this functionality to the sandbox would be potentially breaking, as it would immediately affect every sandboxed frame and require all sites to update their code if they needed to restore the functionality. In contrast, implementing this as a permissions policy is non-breaking: with a default allowlist of `'self'`, it provides an opt-in control mechanism that is enabled by default everywhere but can be selectively disabled when needed.