Web-Facing Change PSA: Discard Input Events To Recently Moved Cross-Origin Iframes

132 views

Skip to first unread message

Stefan Zager

unread,

Nov 3, 2023, 4:08:51 PM11/3/23

to blink-dev

Contact emails

sza...@chromium.org, kenji...@chromium.org

Specification

None

Summary

If a cross-origin iframe has moved recently within its embedding page, then we will silently discard events targeting the iframe. The rationale is that if the iframe moved recently, it is likely that the user did not intent to click or tap on it. For more information about the risks of mis-clicks: https://www.w3.org/Security/wiki/Clickjacking_Threats#Repositioning_the_trusted_window This intervention shipped in limited form in 2019: it only affected iframes containing script using V2 features of IntersectionObserver (i.e. occlusion/effect detection). This launch expands this behavior to all cross-origin iframes, regardless of whether they are using IntersectionObserver V2.

Blink component

Blink>Input

TAG review

None

TAG review status

Not applicable

Risks

Interoperability and Compatibility

Web sites that have cross-origin iframes with unstable positioning may experience a drop-off in click rates to those iframes.

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

Security

There are no known security risks to discarding an input event. We have not heard any concerns about the existing limited scope intervention.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Flag name on chrome://flags

None

Finch feature name

DiscardInputEventsToRecentlyMovedFrames

Requires code in //chrome?

False

Tracking bug

http://crbug.com/603193

Estimated milestones

Shipping on desktop

121

Shipping on Android

121

Shipping on WebView

121

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5079376387637248

This intent message was generated by Chrome Platform Status.

Reply all

Reply to author

Forward

0 new messages