Stop propagating inertness into nested browsing contexts #7605
Comments
Firefox and WebKit don't propagate it. Blink does, but I'm removing it since it can be a cross-site leak, and blocks fenced frames since it opens a communication channel. Note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Fixes whatwg#7605.
|
I agree, the document inside the iframe should not be able to detect whether the parent document has made the frame inert. |
Correction: it seems WebKit still allows selection as if not inert, but |
Firefox doesn't propagate it. Blink does, but I'm removing it since it can be a cross-site leak, and blocks fenced frames since it opens a communication channel. WebKit only propagates it for `.focus()`, but not for the selection API. Note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Fixes whatwg#7605.
|
So, the cross-site leaks seems bad, so we'll need to do something here for sure. But I don't quite understand what you're saying.
I'm a bit unsure what this means. Are you talking specifically about the container not responding to mouse/sequential focus navigation? Or about the contents too? If it is specifically about the container, then that seems bad. Sure, if you click on the border of the iframe, it won't get a click event. But if you click on a button inside the iframed page, it will. Similarly, you wouldn't be able to tab directly to the iframe, but you'd still tab to the stuff displayed inside it. That basically means iframes "punch a hole" in inertness for the page. If this is about the contents too, then I don't understand the distinction you're drawing. If they're not clickable and not tab-to-able and at least in Firefox not selectable, aren't they just inert? And even if there's difference I'm missing, it seems like the communications channel is still present; if there's any operation which behaves differently before/after the container is made inert, then that's a communications channel. |
|
I mean that if you click in the middle of an iframe where there is a focusable element (inside the iframe), then this focusable element won't become focused if the iframe is inert. But a script in the iframe can still use
This doesn't seem to be happening,
Yes, if the iframe uses
So the idea would be that they would still be kinda inert-ish to the user. But not really inert since iframe scripts would still be able to use |
|
OK. So they can still track user actions cross-site, they just can't communicate programmatically? I'm not sure that's better, but I haven't thought too hard about it... I don't think #7606 really captures those behaviors you mention, though. E.g. you still tab into the iframe, or are able to click on its contents, since there's now nothing stopping those sections of the spec from applying. |
Not sure what you mean with "track". The iframe contents will still not receive mouse events, etc. so not much tracking to do? They will instead not be able to track if the parent page opens modal dialogs or something that could be detected by JS APIs when propagating inertness.
Why? Typically you can tab into the contents of a non-inert iframe because:
But if the iframe is inert, then it's not a candidate:
so the algorithm skips the iframe (and all it's contents). So maybe I wasn't clear enough: tabbing won't go into an inert iframe if the focus is outside of it. But if the focus is inside of it, then tabbing can navigate contents of the inert iframe, and go outside of it.
Well, I guess the CSS spec about |
So in particular if a parent page's intent is to make (for example) an ad inert, in order to prevent it from tracking the user's mouse movements, that will no longer be possible from what I understand. More generally, a lot more information can now leak to the inert frame about the user's behavior than before. This might be worth it, to avoid the case of a collaborating top-level page passing information to the ad; I know that case is on peoples' minds a lot these days. But I wanted to be sure we're all recognizing the tradeoffs.
Thanks, you're right.
Yeah, I think it's surprising you can put focus inside an inert iframe at all. I think that's what the original spec was trying to prevent. But if we think that's the desired behavior, and we have web platform tests for this case, then OK. (Specifically for allowing focus, e.g. programmatically, inside an inert iframe; and then allowing TAB to take you out of the iframe.)
Inertness is not specified in terms of I guess maybe "When a node is inert, then the user agent must act as if the node was absent for the purposes of targeting user interaction events" could apply; if the What about mouse move events, though? |
The CSSWG resolved that inertness forces
Yes, but I would rather defer the exact details to the definition of
They should be avoided by |
|
OK, so yeah, we should definitely specify that inertness causes pointer-events none somehow. I guess that doesn't strictly need to be a blocker for this change, but it'd be reassuring if we had a path toward it. Tests for mouse move events would also be good. |
This can be a cross-site communications channel, and browsers don't want to leave it open. Note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, the contents won't respond to mouse interactions, and they won't be reached by sequential focus navigation. So they generally behave similarly from the perspective of the user. Fixes #7605.
|
BTW, I filed w3c/csswg-drafts#7069 for making it explicit that |
Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in web-platform-tests/wpt#32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015}
|
I have created web-platform-tests/wpt#32905 for testing more events like mousemove, and that it's possible to tab within an inert iframe or leave it if focus is already there. |
Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in #32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015}
Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in #32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015}
Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in web-platform-tests#32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015}
…rowsing contexts, a=testonly Automatic update from web-platform-tests Stop propagating inertness into nested browsing contexts See whatwg/html#7605 -- wpt-commits: 0d483a3bea340a2c60cb7a4add49eb63cbba2a64 wpt-pr: 32817
…nested browsing contexts, a=testonly Automatic update from web-platform-tests [inert] Stop propagating inertness into nested browsing contexts Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in web-platform-tests/wpt#32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015} -- wpt-commits: 9c81c01ec17341400c56462171bcec4ae17f0bb2 wpt-pr: 32911
…rowsing contexts, a=testonly Automatic update from web-platform-tests Stop propagating inertness into nested browsing contexts See whatwg/html#7605 -- wpt-commits: 0d483a3bea340a2c60cb7a4add49eb63cbba2a64 wpt-pr: 32817
…nested browsing contexts, a=testonly Automatic update from web-platform-tests [inert] Stop propagating inertness into nested browsing contexts Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in web-platform-tests/wpt#32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015} -- wpt-commits: 9c81c01ec17341400c56462171bcec4ae17f0bb2 wpt-pr: 32911
This can be a cross-site communications channel, and browsers don't want to leave it open. Note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, the contents won't respond to mouse interactions, and they won't be reached by sequential focus navigation. So they generally behave similarly from the perspective of the user. Fixes whatwg#7605.
Doing so was a cross-site leak. This change is against the HTML spec, but it aligns Blink with Gecko. WebKit is also not propagating inertness for the selection API, but it does for focusability. I already changed the spec whatwg/html#7605 and updated WPT in web-platform-tests/wpt#32817. Note this only affects the webexposed behavior. The accessibility tree still considers the contents of an inert frame to be inert, as tested by All/DumpAccessibilityTreeTestWithIgnoredNodes.AccessibilityModalDialogAndIframes/* Therefore Frame::is_inert_ and related flags are kept for accessibility, but they will no longer effect ComputedStyle::IsInert(). Also note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation. Bug: 1293191 TEST=All/DumpAccessibilityTreeTestWithIgnoredNodes.InertAttribute/* TEST=All/SitePerProcessBrowserTest.CrossProcessInertSubframe/* TEST=All/SitePerProcessBrowserTest.CrossProcessIsInertPropagation/* TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inert-focus-in-frames.html TEST=third_party/blink/web_tests/external/wpt/html/semantics/interactive-elements/the-dialog-element/inertness-with-modal-dialogs-and-iframes.html TEST=third_party/blink/web_tests/fast/dom/inert/inert-focus-in-frames.html AX-Relnotes: n/a. Change-Id: I70820d2aeca98e1c4036bd3f8c41ef0129a97a63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3302103 Reviewed-by: Aaron Leventhal <[email protected]> Reviewed-by: Mason Freed <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Commit-Queue: Oriol Brufau <[email protected]> Cr-Commit-Position: refs/heads/main@{#973015} NOKEYCHECK=True GitOrigin-RevId: a486ffcc6d5ecf0d9827d6468ece0eae4306eb50
https://html.spec.whatwg.org/multipage/interaction.html#inert
Firefox and WebKit don't do this. Blink does, but I'm removing it since it can be a cross-site leak, and blocks fenced frames since it opens a communication channel.
Note that even if the contents in the nested browsing contexts are not marked as inert, if the browsing context container is inert, they won't respond to mouse interactions, and they won't be reached by sequential navigation.
CC @emilio, @nt1m
The text was updated successfully, but these errors were encountered: