Feature Policy: focus-without-user-activation

A feature policy to restrict the use of programmatic focus, when not triggered by a user activation. The proposed policy provides a way to control access to the focus API without user activation. The immediate use case would be restricting all sandboxed frames. Focus API, in this context refers to focus management API and autofocus.

Programmatic focus is a potential security problem for users; it can be potentially abused to hijack user input into third-party content. There seems to be little to no justification on use of such features from third party content; let alone cases where the embedded content has not received a user gesture yet. The proposed policy provides a way to control access to focus API without user activation. The immediate use case would be restricting all sandboxed frames. Focus API, in this context refers to focus management API and autofocus.

Comments

Initially proposed by developers as an issue on feature-policy repo: https://github.com/w3c/webappsec-feature-policy/issues/273

Documentation

Specification

Public discussion

Status in Chromium

Blink>DOM


Behind a flag (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • Positive

Owners

Last updated on 2019-05-22