[focus-without-user-activation] Behavior of programmatically setting focus #576
Description
It was resolved in TPAC 2024 that "Focus delegation should also be allowed (allow parent frame programmatically set focus into child iframe)" but wanted to clarify some scenarios.
I understand it should behave as in the following algorithm:
algorithm is_allowed_to_set_focus(focus_setter_frame, currently_focused_frame):
if focus_setter_frame has the policy allowed:
return true
if currently_focused_frame is an inclusive descendant frame of focus_setter_frame:
return true
return false
Some specific cases that might be worth analyzing separately:
- If a frame has the policy disabled and it's currently focused,
a. Can it move focus around inside itself with let's sayelement.focus()?
b. What about passing focus to a subframe withiframe.focus()? - Let's say we have frame A which hosts iframes B and C, all of them with the feature disabled. If B is focused,
a. Can A set focus on any element of itself?
b. Can A move focus to C?
As far as I understand (and as represented in the algorithm is_allowed_to_set_focus), all of the above examples (1a, 1b, 2a, 2b) should be possible because the idea behind the policy is to prevent focus stealing, not restrict what a frame can do once it has focus. Would like to hear if anyone has a different interpretation of the resolutions and open to discuss this further.
Here's a table with some more cases and what the algorithm above allows:
| Case | Policy Allowed on focus_setter_frame |
focus_setter_frame |
currently_focused_frame |
Allowed to Set Focus? |
|---|---|---|---|---|
| 1 | No | Parent | Child | Yes |
| 2 | No | Child | Parent | No |
| 3 | No | Grandparent | Grandchild | Yes |
| 4 | No | Grandchild | Grandparent | No |
| 5 | No | Same frame | Same frame | Yes |
| 6 | Yes | Parent | Child | Yes |
| 7 | Yes | Child | Parent | Yes |
| 8 | Yes | Grandparent | Grandchild | Yes |
| 9 | Yes | Grandchild | Grandparent | Yes |
| 10 | Yes | Same frame | Same frame | Yes |
Dropping some links with more information just in case:
Main discussion thread (has most of the stuff related to it since 2019): #273
TPAC 2024 minutes: https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-23-TPAC-Minutes.md#permission-policy-autofocus