Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent programmatic focus in iframe #4326

Open
marian-r opened this issue Jan 29, 2019 · 7 comments
Open

Prevent programmatic focus in iframe #4326

marian-r opened this issue Jan 29, 2019 · 7 comments
Labels
addition/proposal New features or enhancements security/privacy There are security or privacy implications topic: focus

Comments

@marian-r
Copy link

Resubmitting an issue from w3c/webappsec#543 and w3c/webappsec-permissions-policy#273

I would like to propose a way to restrict iframe from programmatically setting focus on any of its inputs. Restricting would mean that the .focus() calls inside the iframe would have no effect. I am proposing that it could be achieved with a new feature policy or a sandbox flag, not sure which one suits more to this case:

sandbox:
<iframe src="ad.html" sandbox="allow-focus-calls"><iframe>

feature policy:
<iframe src="ad.html" allow="focus-calls"><iframe>

(The name of the flag is just an example. Feel free to propose a better name)

I am a Software Engineer working on advertising security for a house of large online publishers (Yahoo, Tumblr, HuffPost, TechCrunch, AOL to name a few). The reason behind this proposal is that it gives a way for publishers to improve the security of visitors by restricting the ability for (malicious) ads to programmatically steal focus without users noticing.

Example:

<html>
<body>
<h1>Top page</h1>
<iframe src="ad.html"><iframe>
</body>
</html>
<html>
<body>
<p>Iframe</p>
<input id="textInput" type="text">
<script>
document.getElementById('textInput').focus();
</script>
</body>
</html>

The iframe in the example 'steals' focus from the top page as soon as it loads.
@annevk annevk added the security/privacy There are security or privacy implications label Jan 29, 2019
@annevk
Copy link
Member

annevk commented Jan 29, 2019

cc @whatwg/security

@domenic
Copy link
Member

domenic commented Jan 29, 2019

This appears to be a complete duplicate of the other two issues; it is probably best to centralize discussion, instead of spreading it into three places.

@domenic domenic closed this as completed Sep 24, 2019
@domenic domenic reopened this Sep 24, 2019
@domenic
Copy link
Member

domenic commented Sep 24, 2019

This has a (stalled?) pull request by @ ehsan-karamad in progress at #4585.

@domenic domenic added the addition/proposal New features or enhancements label Sep 24, 2019
@rniwa
Copy link

rniwa commented Oct 1, 2019

Note that WebKit and other browser engines now require user gesture for cross-origin iframe to steal focus: https://trac.webkit.org/changeset/248491

@mustaqahmed
Copy link
Contributor

We have a similar behavior in Chrome since [M76].(https://www.chromestatus.com/feature/5179186249465856). Again drawing attention to our HTML PR #4585.

@annevk
Copy link
Member

annevk commented Jun 21, 2021

None of that seems to actually state what Chrome ships? The PR also has some outstanding feedback.

@siliu1
Copy link

siliu1 commented Sep 24, 2024

More discussion in w3c/webappsec-permissions-policy#273.

@siliu1 siliu1 mentioned this issue Sep 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addition/proposal New features or enhancements security/privacy There are security or privacy implications topic: focus
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rniwa @domenic @annevk @marian-r @mustaqahmed @siliu1