Feature Policy: focus-without-user-activation

A feature policy to restrict the use of programmatic focus, when not triggered by a user activation. The proposed policy provides a way to control access to the focus API without user activation. The immediate use case would be restricting all sandboxed frames. Focus API, in this context refers to focus management API and autofocus.

Motivation

Programmatic focus is a potential security problem for users; it can be potentially abused to hijack user input into third-party content. There seems to be little to no justification on use of such features from third party content; let alone cases where the embedded content has not received a user gesture yet. The proposed policy provides a way to control access to focus API without user activation. The immediate use case would be restricting all sandboxed frames. Focus API, in this context refers to focus management API and autofocus.

Documentation

Specification

Public discussion

Status in Chromium

Blink>DOM


In developer trial (Behind a flag) (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • Positive

Owners

Comments

Initially proposed by developers as an issue on feature-policy repo: https://github.com/w3c/webappsec-feature-policy/issues/273

Last updated on 2020-09-25