Intent to Prototype: Policy-controlled feature `manual-text`

[Christoph Schwering]

Contact emails

schw...@google.com

Explainer

https://github.com/explainers-by-googlers/safe-text-input/blob/main/manual-text.md

Summary

The policy-controlled feature `manual-text` indicates whether it is safe to dispatch text events in embedded documents.

Disabling `manual-text` in an iframe signals to the user agent that the embedded document should not receive text input. The user may warn before dispatching text-producing events such as keyboard or paste events, or suppress them entirely.

A related feature is `autofill`: https://chromestatus.com/feature/5066686516953088

Blink component

Blink>FeaturePolicy

Motivation

This specification improves data security: For end users, it is often difficult to recognize third-party documents as such, let alone to identify the third party and reason about its trustworthiness. With the policy-controlled feature `manual-text`, the embedding document expresses whether it considers an embedded document trustworthy for user text input. The browser can use this to warn the user when they are about to enter text in an untrusted document, or it may directly block the dispatch of these events. Text-producing events include most keyboard events, paste events, and drop events. They exclude keyboard events that are not commonly used to enter meaningful text, such as navigation keys or the space key. Today, documents have no way of preventing an embedded document from receiving text input short of sandboxing the frame.

Search tags

autofill, feature-policy

TAG review

https://github.com/w3ctag/design-reviews/issues/831

The TAG review started for an earlier proposal `shared-autofill`. After feedback from TAG, we shifted the scope of the proposal from enabling cross-origin autofill and other text input to controlling autofill in cross-origin iframes. Shopify has expressed support for the proposal. Mozilla and WebKit responses on the earlier proposal `shared-autofill` were neutral.

TAG review status

In process

Tracking bug

https://g-issues.chromium.org/issues/40178859

Launch bug

https://launch.corp.google.com/launch/4200980

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5164522274553856?gate=5201632335495168

This intent message was generated by Chrome Platform Status.

--

Google Germany GmbH

Erika-Mann-Straße 33

80636 München

Geschäftsführer: Paul Manicle, Liana Sebastian

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. 

This email is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.