Intent to Ship: Document picture-in-picture: require user gesture for resize APIs

Tommy Steimel

unread,

Nov 17, 2023, 2:47:34 PM11/17/23

to blink-dev

Contact emails

ste...@chromium.org, libe...@chromium.org

Explainer

None

Specification

https://github.com/WICG/document-picture-in-picture/pull/104

Summary

This adds a user gesture requirement for the resizeBy() and resizeTo() Window APIs for document picture-in-picture windows. This allows websites to make use of those APIs while mitigating much of the abuse potential of those APIs on an always-on-top window.

Blink component

Blink>Media>PictureInPicture

TAG review

N/A as this is a minor change to the behavior of an existing API

TAG review status

Not applicable

Risks

Interoperability and Compatibility

None

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/670#issuecomment-1786354361) Added comment to existing standards position issue for document picture-in-picture. No response yet

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/41#issuecomment-1786354016) Added comment to existing standards position issue for document picture-in-picture. No response yet

Web developers: Positive The ability to programmatically resize the document picture-in-picture window is one of the most-requested features for document picture-in-picture

Other signals:

Ergonomics

N/A

Activation

N/A

Security

While being able to resize an always-on-top window at will is a security/annoyance risk, by making the API consume a user gesture, the website can only resize once per click, which limits the possible abuse vectors

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

N/A

Debuggability

N/A

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

The document picture-in-picture API is not supported on Android

Is this feature fully tested by web-platform-tests?

Yes

document-picture-in-picture/resize-requires-user-gesture.https.html

Flag name on chrome://flags

None

Finch feature name

None

Non-finch justification

Small, low-risk change to existing API

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1354325

Sample links

https://steimelchrome.github.io/document-pip/click_to_resize.html

Estimated milestones

Shipping on desktop

121

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

N/A

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5398995019235328

This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,

Nov 22, 2023, 12:43:09 AM11/22/23

to blink-dev, Tommy Steimel

On Friday, November 17, 2023 at 8:47:34 PM UTC+1 Tommy Steimel wrote:

Contact emailsste...@chromium.org, liberato@chromium.org

ExplainerNone

Specificationhttps://github.com/WICG/document-picture-in-picture/pull/104

Summary
This adds a user gesture requirement for the resizeBy() and resizeTo() Window APIs for document picture-in-picture windows. This allows websites to make use of those APIs while mitigating much of the abuse potential of those APIs on an always-on-top window.

Blink componentBlink>Media>PictureInPicture

TAG reviewN/A as this is a minor change to the behavior of an existing API

TAG review statusNot applicable

Risks

Interoperability and Compatibility
None

This added requirement would mean that calls to these API can now fail. Is that new? Or are developers already expected to handle failures?

Do we expect developers to start checking the UserActivation API before calling these methods?

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/670#issuecomment-1786354361) Added comment to existing standards position issue for document picture-in-picture. No response yet

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/41#issuecomment-1786354016) Added comment to existing standards position issue for document picture-in-picture. No response yet

Web developers: Positive The ability to programmatically resize the document picture-in-picture window is one of the most-requested features for document picture-in-picture

Other signals:

Ergonomics
N/A

Activation
N/A

Security
While being able to resize an always-on-top window at will is a security/annoyance risk, by making the API consume a user gesture, the website can only resize once per click, which limits the possible abuse vectors

WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/A

Debuggability
N/A

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No
The document picture-in-picture API is not supported on Android

Is this feature fully tested by web-platform-tests?Yes
document-picture-in-picture/resize-requires-user-gesture.https.html

Flag name on chrome://flagsNone

Finch feature nameNone

Non-finch justification
Small, low-risk change to existing API

Requires code in //chrome?False

Tracking bughttps://crbug.com/1354325

Sample links
https://steimelchrome.github.io/document-pip/click_to_resize.html

Estimated milestonesShipping on desktop121

Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
N/A

Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5398995019235328

Tommy Steimel

unread,

Nov 22, 2023, 9:49:53 AM11/22/23

to Yoav Weiss, blink-dev

On Tue, Nov 21, 2023 at 9:43 PM Yoav Weiss <yoav...@chromium.org> wrote:

On Friday, November 17, 2023 at 8:47:34 PM UTC+1 Tommy Steimel wrote:
Contact emailsste...@chromium.org, liberato@chromium.org

ExplainerNone

Specificationhttps://github.com/WICG/document-picture-in-picture/pull/104

Summary
This adds a user gesture requirement for the resizeBy() and resizeTo() Window APIs for document picture-in-picture windows. This allows websites to make use of those APIs while mitigating much of the abuse potential of those APIs on an always-on-top window.

Blink componentBlink>Media>PictureInPicture

TAG reviewN/A as this is a minor change to the behavior of an existing API

TAG review statusNot applicable

Risks

Interoperability and Compatibility
None

This added requirement would mean that calls to these API can now fail. Is that new? Or are developers already expected to handle failures?
Do we expect developers to start checking the UserActivation API before calling these methods?

Currently these APIs always fail on document picture-in-picture windows regardless of user activation (to prevent really spammy always-on-top windows). We don't expect developers to check the UserActivation API at all, just to only call resizeTo()/resizeBy() in response to a user gesture.

Rick Byers

unread,

Nov 28, 2023, 2:55:58 AM11/28/23

to Tommy Steimel, Yoav Weiss, blink-dev

On Wed, Nov 22, 2023 at 11:49 PM 'Tommy Steimel' via blink-dev <blin...@chromium.org> wrote:

On Tue, Nov 21, 2023 at 9:43 PM Yoav Weiss <yoav...@chromium.org> wrote:

On Friday, November 17, 2023 at 8:47:34 PM UTC+1 Tommy Steimel wrote:
Contact emailsste...@chromium.org, liberato@chromium.org

ExplainerNone

Specificationhttps://github.com/WICG/document-picture-in-picture/pull/104

Summary
This adds a user gesture requirement for the resizeBy() and resizeTo() Window APIs for document picture-in-picture windows. This allows websites to make use of those APIs while mitigating much of the abuse potential of those APIs on an always-on-top window.

Blink componentBlink>Media>PictureInPicture

TAG reviewN/A as this is a minor change to the behavior of an existing API

TAG review statusNot applicable

Risks

Interoperability and Compatibility
None

This added requirement would mean that calls to these API can now fail. Is that new? Or are developers already expected to handle failures?
Do we expect developers to start checking the UserActivation API before calling these methods?

Currently these APIs always fail on document picture-in-picture windows regardless of user activation (to prevent really spammy always-on-top windows). We don't expect developers to check the UserActivation API at all, just to only call resizeTo()/resizeBy() in response to a user gesture.

From the subject and summary I also originally assumed this intent was about adding a user gesture restriction, and it looks like your security approval was also based on that incorrect understanding. Can you please re-request a security review with the clarification of the scope of this feature? Please also update the summary of the feature in ChromeStatus, eg: "This enables the resizeBy() and resizeTo() Windows methods on document picture-in-picture windows, but with the added restriction of a user gesture requirement to mitigate the abuse potential".

Otherwise it looks fine to me.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE-AwAqS29Q2%2BbV89rc8x%2B3BCVQVuLw5QEPnkbrJpy-2mq2bZA%40mail.gmail.com.

Tommy Steimel

unread,

Nov 29, 2023, 10:04:49 AM11/29/23

to Rick Byers, Yoav Weiss, blink-dev

Okay the security reviewer has now re-reviewed it given the updated information. Thanks!

Yoav Weiss

unread,

Nov 29, 2023, 10:12:49 AM11/29/23

to blink-dev, Tommy Steimel, Yoav Weiss, blink-dev, Rick Byers

LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Philip Jägenstedt

unread,

Nov 29, 2023, 11:36:05 AM11/29/23

to Yoav Weiss, blink-dev, Tommy Steimel, Rick Byers

LGTM2

LGTM1

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE-AwAqS29Q2%2BbV89rc8x%2B3BCVQVuLw5QEPnkbrJpy-2mq2bZA%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/740e5180-d4d9-4156-9489-21185b9bc1e6n%40chromium.org.

Chris Harrelson

unread,

Nov 29, 2023, 11:58:46 AM11/29/23

to Philip Jägenstedt, Yoav Weiss, blink-dev, Tommy Steimel, Rick Byers

LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYdioCrFHatD-3FV0yuzGmUxDmAoQuupJxF79kDG3nxdUA%40mail.gmail.com.

Rick Byers

unread,

Nov 30, 2023, 2:32:00 AM11/30/23

to Chris Harrelson, Philip Jägenstedt, Yoav Weiss, blink-dev, Tommy Steimel

Thank you Tommy! Superfluous LGTM4

Reply all

Reply to author

Forward