From 508a5ceb87b621d5d1a439aedeece2d00be55ed5 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Fri, 15 Feb 2019 16:50:13 -0500 Subject: [PATCH 01/15] Added a new section on User Activation v2. Replaced most of Section 6.3 with the new user activation model, preserved only a part (events triggering user activation) into a new Section 6.4 which needs to be addressed through a separate issue. --- source | 170 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 114 insertions(+), 56 deletions(-) diff --git a/source b/source index 6ace5d4c1f6..a9d081c0744 100644 --- a/source +++ b/source @@ -30260,8 +30260,8 @@ interface HTMLIFrameElement : HTMLElement { keyword allows the content to navigate its top-level browsing context; the allow-top-navigation-by-user-activation - keyword behaves similarly but only allows such navigation when - triggered by user activation; and the navigation only when + transient activation flag is true; and the allow-forms, allow-modals, allow-orientation-lock, MediaError {

A media element is said to be allowed to play if the user agent and the system allow media playback in the current context.

-

For example, a user agent could require that playback is triggered by user - activation, but an exception could be made to allow playback while For example, a user agent could allow playback only when transient + activation flag is true, but an exception could be made to allow playback while muted.

A media element is said to have ended playback when:

@@ -47892,8 +47892,8 @@ ldh-str = < as defined in click event.

+ -
+

To prevent abuse of certain APIs that could be annoying to users (e.g. opening popups or + vibrating phones), Web browsers allow the use of these APIs only when the user is actively + interacting with the web page or have interacted with the page at least once. This "active + interaction" state is maintained through the user activation state object in each + Window.

-

The user agent should allow the user to manually trigger elements that have an activation - behavior, for instance using keyboard or voice input, or through mouse clicks. When the - user triggers an element with a defined activation behavior in a manner other than - clicking it, the default action of the interaction event must be to fire a click event at the element.

- +

Processing model

-

An algorithm is triggered by user - activation if any of the following conditions is true:

+

A user interaction activates a Window object + W if either:

+
    +
  • input events from the user interaction is targetted to an element of W, or
    • +
  • the interaction activates the Window + object in a subframe of W.
    • +
+ +

The user activation state of a Window object W consists of + two boolean flags, both of which are initially set to false:

    -

  • The task in which the algorithm is running is currently - processing an activation behavior whose click - event's isTrusted attribute is true.

    • +
  • The sticky activation flag indicates the historical activation state: whether the + user has ever interacted with W or its subframes. The flag is set when W + is activated for the very first time, and is never + reset during the lifetime of W.
    • + +
  • The transient activation flag indicates the current activation state: whether the + user is currently interacting with W or its subframes. The flag is set every time + W is activated, and is reset either +
      +
    • after an expiry time defined by the browser, or
      • +
    • through a call to an activation-consuming API in the context of + any Window object of the page.
      • +
    +
    • +
-
  • -

    The task in which the algorithm is running is currently - running the event listener for an event whose isTrusted attribute is true and whose type is one of:

    +

    The propagation of the transient activation flag in the frame tree + is assymetric between setting vs resetting of the flag. A user interaction with a frame + F sets the flag in the Window object of each ancestor frame of + F (including F itself). However, an activation-consuming + API call in the context of the Window object of frame of F resets + the flag in all Window objects across the whole frame tree. This prevents + multiple calls to an activation-consuming API even when the frame hierarchy + is deep.

    -
      -
    • change
      • -
    • click
      • -
    • contextmenu
      • -
    • dblclick
      • -
    • mouseup
      • -
    • pointerup
      • -
    • reset
      • -
    • submit
      • -
    • touchend
      • -
    +

    APIs gated by user activation

    -
    • +

    APIs that are dependent on user activation state are classified into three + different levels. The levels are as follows, sorted by their "strength of dependence" on user + activation (from strongest to weakest):

    +
      +
    1. Transient activation consuming APIs: These APIs require the transient bit, and + they consume the bit in each call to prevent multiple calls per user activation.
      2. -
    2. -

      The task in which the algorithm is running was queued by an algorithm that was triggered by user - activation, and the chain of such algorithms started within a user-agent defined - timeframe.

      +
    3. Transient activation gated APIs: These APIs require the transient bit but don't + consume it, so multiple calls are allowed per user activation until the transient bit + expires.
      4. -

      For example, if a user clicked a button, it might be acceptable for a popup - to result from that after 4 seconds, but it would likely not be acceptable for a popup to result - from that after 4 hours.

      - +
    4. Sticky activation gated APIs: These APIs require the sticky activation bit, so + they are blocked until the very first user activation.
      5. +
    + + +

    Events triggering user activation

    + +
    + + + + + + +

    The event set is inconsistent across major browsers. See issue #3849.

    + +

    A Window object W is considered activated when W or any + elements of W receives an event whose isTrusted attribute is true and whose type is one of:

    +
      +
    • change
      • +
    • click
      • +
    • contextmenu
      • +
    • dblclick
      • +
    • mouseup
      • +
    • pointerup
      • +
    • reset
      • +
    • submit
      • +
    • touchend
    +

    Activation behavior of elements

    + +

    Certain elements in HTML have an activation behavior, which means that the user + can activate them. This is always caused by a click event.

    + +
    + +

    The user agent should allow the user to manually trigger elements that have an activation + behavior, for instance using keyboard or voice input, or through mouse clicks. When the + user triggers an element with a defined activation behavior in a manner other than + clicking it, the default action of the interaction event must be to fire a click event at the element.

    + +

    Focus

    @@ -78891,12 +78949,12 @@ console.assert(iframeWindow.frameElement === null); then:

      -

    1. If this algorithm is triggered by user activation and A's +

    2. If transient activation flag is true and A's active document's active sandboxing flag set has its sandboxed top-level navigation with user activation browsing context flag set, then return false.

      3. -

    3. Otherwise, if this algorithm is not triggered by user activation and +

    4. Otherwise, if transient activation flag is false and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then return false.

      5. @@ -79212,7 +79270,7 @@ console.assert(iframeWindow.frameElement === null); applicable option from the following list:

      - @@ -81357,8 +81415,8 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only from algorithms that are - not triggered by user activation.

      + top-level browsing context. It is consulted only when transient + activation flag is false.

      When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing @@ -81376,8 +81434,8 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only from algorithms that - are triggered by user activation.

      + top-level browsing context. It is consulted only when transient + activation flag is true.

      As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not @@ -83909,8 +83967,8 @@ interface Location { // but see also For example, there could be a vulnerability in the target software's URL From 3d4e4820aa23b0acde6d4d1d93f58959fc371332 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Mon, 18 Mar 2019 12:35:29 -0400 Subject: [PATCH 02/15] domenic's comments. --- source | 142 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 93 insertions(+), 49 deletions(-) diff --git a/source b/source index a9d081c0744..5732944505d 100644 --- a/source +++ b/source @@ -73230,62 +73230,106 @@ END:VCARD

      Processing model

      -

      A user interaction activates a Window object - W if either:

      -
        -
      • input events from the user interaction is targetted to an element of W, or
        • - -
      • the interaction activates the Window - object in a subframe of W.
        • -
      +

      When a user interaction in a browsing context B causes firing of an activation triggering input events in that context, it + activates the Window objects in all ancestor browsing contexts of B (including + the one in B itself). The UA activates all relevant Window objects before + it dispatches the input event to any EventTarget.

      The user activation state of a Window object W consists of two boolean flags, both of which are initially set to false:

      +
        -
      • The sticky activation flag indicates the historical activation state: whether the - user has ever interacted with W or its subframes. The flag is set when W - is activated for the very first time, and is never - reset during the lifetime of W.
        • - -
      • The transient activation flag indicates the current activation state: whether the - user is currently interacting with W or its subframes. The flag is set every time - W is activated, and is reset either -
          -
        • after an expiry time defined by the browser, or
          • -
        • through a call to an activation-consuming API in the context of - any Window object of the page.
          • -
        -
        • + +

      • The sticky activation flag indicates the historical activation state: whether + the user has ever interacted with W or its subframes. When W is activated for the very first time, the UA sets the flag to true. + This flag is never set to false during the lifetime of W.

        • + +

      • The transient activation flag indicates the current activation state: whether + the user is currently interacting with W or its subframes. Every time W is + activated, the UA sets the flag to true. The UA sets the + flag to false when the flag either expires or gets consumed.

        • +
      -

      The propagation of the transient activation flag in the frame tree - is assymetric between setting vs resetting of the flag. A user interaction with a frame - F sets the flag in the Window object of each ancestor frame of - F (including F itself). However, an activation-consuming - API call in the context of the Window object of frame of F resets - the flag in all Window objects across the whole frame tree. This prevents - multiple calls to an activation-consuming API even when the frame hierarchy - is deep.

      +
      + +
      Expiration of transient activation
      + +
      + +

      The UA sets the transient activation flag to false after a UA-defined expiry + time has elapsed since the last time W was + activated.

      + +

      The expiry time has to be at most a few seconds so that the user can possibly + perceive the link between an interaction with a page and the page opening a popup, for + example.

      + +

      The UA can possibly implement the expiration of transient activation + flag through time-stamping: the UA would have an internal time-stamp field in user + activation state which is updated to current time-stamp every time W is + activated. Then every time the transient activation + flag is checked, the UA would return true iff current time-stamp is less than the stored + time-stamp plus the expiry time.

      + +
      + +
      Consumption of transient activation
      + +
      + +

      The UA sets the transient activation flag to whenever any script in the page + makes a call to an activation consuming API such as window.open().

      + +

      Note the assymetry between setting the transient activation + flag to true and false from the perspective of the browsing contexts of the page. A user interaction with a Window + object W sets to true the transient activation flags in only the ancestor browsing contexts of W. However, + a consumping in W sets to false the flags in all browsing contexts of the page (more + precisely, all descendant browsing + contexts of the top-level browsing context of W). Consuming the + flag in this manner prevents malicious sites from making multiple calls to an activation + consuming API from a single user activation (possibly by exploiting a deep hierarchy of + browsing contexts).

      + +
      + +

      APIs gated by user activation

      APIs that are dependent on user activation state are classified into three different levels. The levels are as follows, sorted by their "strength of dependence" on user activation (from strongest to weakest):

      -
        -
      1. Transient activation consuming APIs: These APIs require the transient bit, and - they consume the bit in each call to prevent multiple calls per user activation.
        2. +
        +
        Transient activation consuming APIs
        -
      2. Transient activation gated APIs: These APIs require the transient bit but don't - consume it, so multiple calls are allowed per user activation until the transient bit - expires.
        3. +

        These APIs require the transient activation flag to be true, and they consume the flag in each call to prevent multiple + calls per user activation.

        -
      3. Sticky activation gated APIs: These APIs require the sticky activation bit, so - they are blocked until the very first user activation.
        4. -
      +
      Transient activation gated APIs
      + +

      These APIs require the transient activation flag to be true but don't consume it, so + multiple calls are allowed per user activation until the transient bit expires.

      + +
      Sticky activation gated APIs
      + +

      These APIs require the sticky activation flag to be true, so they are blocked + until the very first user activation.

      + +
      -

      Events triggering user activation

      +

      Input events triggering user activation

      @@ -73302,15 +73346,15 @@ END:VCARD data-x="dom-Event-isTrusted">isTrusted attribute is true and whose type is one of:

        -
      • change
        • -
      • click
        • -
      • contextmenu
        • -
      • dblclick
        • -
      • mouseup
        • -
      • pointerup
        • -
      • reset
        • -
      • submit
        • -
      • touchend
        • +
      • change
        • +
      • click
        • +
      • contextmenu
        • +
      • dblclick
        • +
      • mouseup
        • +
      • pointerup
        • +
      • reset
        • +
      • submit
        • +
      • touchend
      From 67ca5719d904cb3de1d23bb132723df4975caf4e Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 19 Mar 2019 11:35:14 -0400 Subject: [PATCH 03/15] bratell's comment --- source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source b/source index 5732944505d..ab6f27e9c11 100644 --- a/source +++ b/source @@ -47892,7 +47892,7 @@ ldh-str = < as defined in allow-top-navigation-by-user-activation keyword behaves similarly but allows such navigation only when - transient activation flag is true; and the transient activation flag is true; and the allow-forms, allow-modals, allow-orientation-lock, MediaError {

      A media element is said to be allowed to play if the user agent and the system allow media playback in the current context.

      -

      For example, a user agent could allow playback only when transient +

      For example, a user agent could allow playback only when the transient activation flag is true, but an exception could be made to allow playback while muted.

      @@ -47892,7 +47892,7 @@ ldh-str = < as defined in       user activation state object in each - Window.

      + interacting with the web page or has interacted with the page at least once. This "active + interaction" state is maintained on each Window through the mechanisms in this + section.

      -

      Processing model

      +
      -

      When a user interaction in a browsing context B causes firing of an activation triggering input events in that context, it - activates the Window objects in all ancestor browsing contexts of B (including - the one in B itself). The UA activates all relevant Window objects before - it dispatches the input event to any EventTarget.

      +

      Processing model

      -

      The user activation state of a Window object W consists of - two boolean flags, both of which are initially set to false:

      +

      For the purposes of tracking user activation, each Window object W has + the following associated values:

      -
        +
        +
        The sticky activation flag
        +
        +

        A boolean value indicating the historical activation state: whether the user has ever + interacted with W or any of its descendant windows. Initially false.

        -

      • The sticky activation flag indicates the historical activation state: whether - the user has ever interacted with W or its subframes. When W is activated for the very first time, the UA sets the flag to true. - This flag is never set to false during the lifetime of W.

        • +

        When W is activated for the very first time, + this flag gets set to true. It is never set to false during the lifetime of W.

        +
        -

      • The transient activation flag indicates the current activation state: whether - the user is currently interacting with W or its subframes. Every time W is - activated, the UA sets the flag to true. The UA sets the - flag to false when the flag either expires or gets consumed.

        • +
        The consumable activation flag
        +
        +

        A boolean value used to implement the transient activation flag. It indicates + whether the user has interacted with W or any of its descendant windows, since the last time an API consumed a user activation. Initially false.

        -
      +

      Activation consuming APIs, such as window.open(), set the consumable activation flag to + false.

      + -
      +
      The last activation time
      +
      +

      A timestamp indicating the last time W was activated, used for expiration of the transient activation flag. Initially + null.

      +
      +
      -
      Expiration of transient activation
      +

      Then, the value of the transient activation flag for W is determined by + the following steps:

      -
      +
        +

      1. If W's consumable activation flag is false, return false.

        2. -

        The UA sets the transient activation flag to false after a UA-defined expiry - time has elapsed since the last time W was - activated.

        +

      2. Assert: W's last activation time is not null.

        3. -

        The expiry time has to be at most a few seconds so that the user can possibly - perceive the link between an interaction with a page and the page opening a popup, for - example.

        +
      3. +

        If W's last activation time is longer ago than a + user-agent-defined transient activation expiration cutoff, return false.

        -

        The UA can possibly implement the expiration of transient activation - flag through time-stamping: the UA would have an internal time-stamp field in user - activation state which is updated to current time-stamp every time W is - activated. Then every time the transient activation - flag is checked, the UA would return true iff current time-stamp is less than the stored - time-stamp plus the expiry time.

        +

        The transient activation expiration cutoff should be at most a few seconds, so + that the user can possibly perceive the link between an interaction with a page and the page + opening a popup (for example).

        +
        4. -
      +

    5. Return true.

      6. +
    -
    Consumption of transient activation
    +

    When a user interaction in a browsing context activatedBrowsingContext + causes firing of an activation triggering input event + in that context, the user agent must perform the following steps before dispatching the event. These steps are said to activate the relevant Window objects.

    -
    +
      +

    1. Let browsingContexts be a list consisting of + activatedBrowsingContext plus all ancestor + browsing contexts of activatedBrowsingContext.

      2. -

      The UA sets the transient activation flag to whenever any script in the page - makes a call to an activation consuming API such as window.open().

      +

    2. Let windows be the list of Window objects constructed by, for each + browsingContext of browsingContexts, taking the [[Window]] internal slot + value of browsingContext's WindowProxy object.

      3. -

      Note the assymetry between setting the transient activation - flag to true and false from the perspective of the browsing contexts of the page. A user interaction with a Window - object W sets to true the transient activation flags in only the ancestor browsing contexts of W. However, - a consumping in W sets to false the flags in all browsing contexts of the page (more - precisely, all descendant browsing - contexts of the top-level browsing context of W). Consuming the - flag in this manner prevents malicious sites from making multiple calls to an activation - consuming API from a single user activation (possibly by exploiting a deep hierarchy of - browsing contexts).

      +
    3. +

      For each window of windows:

      -
    +
      +

    1. Set window's sticky activation flag to true.

      2. - +

    2. Set window's consumable activation flag to true.

      3. + +

    3. Set window's last activation time to the current time.

      4. +
    + + + +

    To consume user activation for a Window W, perform the + following steps:

    + +
      +

    1. If W's browsing context is null, then + return.

      2. + +

    2. Let top be W's browsing context's + top-level browsing context.

      3. + +

    3. Let browsingContexts be the list of the descendant browsing + contexts of top's active document.

      4. + +

    4. Append top to + browsingContexts.

      5. + +

    5. Let windows be the list of Window objects constructed by, for each + browsingContext of browsingContexts, taking the [[Window]] internal slot + value of browsingContext's WindowProxy object.

      6. + +
    6. +

      For each window of windows:

      + +
        +

      1. Set window's consumable activation flag to false.

        2. +
      +
      7. +
    + +

    Note the asymmetry between activation and + consumption from the perspective of the browsing contexts of the page. Activation only sets the + consumable activation flag to true for a browsing context's inclusive ancestors, but + consumption sets the flag to false for both ancestor and descendant browsing contexts. Consuming + the flag in this manner prevents malicious sites from making multiple calls to an activation + consuming API from a single user activation (possibly by exploiting a deep hierarchy of + browsing contexts).

    + +

    APIs gated by user activation

    -

    APIs that are dependent on user activation state are classified into three - different levels. The levels are as follows, sorted by their "strength of dependence" on user - activation (from strongest to weakest):

    +

    APIs that are dependent on user activation are classified into three different levels. The + levels are as follows, sorted by their "strength of dependence" on user activation (from strongest + to weakest):

    +
    -
    Transient activation consuming APIs
    +
    Transient activation-consuming APIs
    -

    These APIs require the transient activation flag to be true, and they consume the flag in each call to prevent multiple - calls per user activation.

    +

    These APIs require the transient activation flag to be true, and they + consume user activation in each call to prevent multiple calls per user + activation.

    -
    Transient activation gated APIs
    +
    Transient activation-gated APIs
    -

    These APIs require the transient activation flag to be true but don't consume it, so - multiple calls are allowed per user activation until the transient bit expires.

    +

    These APIs require the transient activation flag to be true, but don't + consume it, so multiple calls are allowed per user activation until the transient bit expires.

    -
    Sticky activation gated APIs
    +
    Sticky activation-gated APIs
    -

    These APIs require the sticky activation flag to be true, so they are blocked +

    These APIs require the sticky activation flag to be true, so they are blocked until the very first user activation.

    -

    Input events triggering user activation

    -
    - - - - - -

    The event set is inconsistent across major browsers. See issue #3849.

    @@ -73345,6 +73384,7 @@ END:VCARD elements of W receives an event whose isTrusted attribute is true and whose type is one of:

    +
    • change
    • click
      • @@ -73357,9 +73397,7 @@ END:VCARD
    • touchend
    -
    - -

    Activation behavior of elements

    +

    Activation behavior of elements

    Certain elements in HTML have an activation behavior, which means that the user can activate them. This is always caused by a click event.

    @@ -78993,12 +79031,12 @@ console.assert(iframeWindow.frameElement === null); then:

      -

    1. If transient activation flag is true and A's +

    2. If the transient activation flag is true and A's active document's active sandboxing flag set has its sandboxed top-level navigation with user activation browsing context flag set, then return false.

      3. -

    3. Otherwise, if transient activation flag is false and +

    4. Otherwise, if the transient activation flag is false and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then return false.

      5. @@ -79314,7 +79352,7 @@ console.assert(iframeWindow.frameElement === null); applicable option from the following list:

      - @@ -81459,7 +81497,7 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only when transient + top-level browsing context. It is consulted only when the transient activation flag is false.

      When the sandboxed top-level navigation without user activation browsing context @@ -81478,7 +81516,7 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only when transient + top-level browsing context. It is consulted only when the transient activation flag is true.

      As with the sandboxed top-level navigation without user activation browsing context @@ -84011,7 +84049,7 @@ interface Location { // but see also For example, a user agent could allow playback only when the transient +

      For example, a user agent could allow playback only when the transient activation flag is true, but an exception could be made to allow playback while muted.

      @@ -73216,8 +73216,8 @@ END:VCARD

      Tracking user activation

      -

      To prevent abuse of certain APIs that could be annoying to users (e.g. opening popups or - vibrating phones), Web browsers allow the use of these APIs only when the user is actively +

      To prevent abuse of certain APIs that could be annoying to users (e.g., opening popups or + vibrating phones), web browsers allow the use of these APIs only when the user is actively interacting with the web page or has interacted with the page at least once. This "active interaction" state is maintained on each Window through the mechanisms in this section.

      @@ -73273,7 +73273,7 @@ END:VCARD

      If W's last activation time is longer ago than a user-agent-defined transient activation expiration cutoff, return false.

      -

      The transient activation expiration cutoff should be at most a few seconds, so +

      The transient activation expiration cutoff should be at most a few seconds, so that the user can possibly perceive the link between an interaction with a page and the page opening a popup (for example).

      From 19409491ead57e7a665141d46c1bad66ec67270c Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Fri, 11 Oct 2019 13:55:46 -0400 Subject: [PATCH 06/15] Rewrote the PR to address all outstanding comments. --- source | 245 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 128 insertions(+), 117 deletions(-) diff --git a/source b/source index 585e20a0fe8..3708733cb0c 100644 --- a/source +++ b/source @@ -30261,7 +30261,7 @@ interface HTMLIFrameElement : HTMLElement { the allow-top-navigation-by-user-activation keyword behaves similarly but allows such navigation only when - the transient activation flag is true; and the transient activation state is true; and the allow-forms, allow-modals, allow-orientation-lock, MediaError { system allow media playback in the current context.

      For example, a user agent could allow playback only when the transient - activation flag is true, but an exception could be made to allow playback while state is true, but an exception could be made to allow playback while muted.

      A media element is said to have ended playback when:

      @@ -47892,7 +47892,7 @@ ldh-str = < as defined in       Window through the mechanisms in this - section.

      + vibrating phones), user agents allow these APIs only when the user is actively interacting with + the web page or has interacted with the page at least once. This "active interaction" state is + maintained through the mechanism mentioned in this section.

      -

      Processing model

      +

      Data model

      -

      For the purposes of tracking user activation, each Window object W has - the following associated values:

      +

      For the purpose of tracking user activation, the user agent maintains the following two values + for each Window object W:

      -
      The sticky activation flag
      +
      Last activation timestamp, T:
      -

      A boolean value indicating the historical activation state: whether the user has ever - interacted with W or any of its descendant windows. Initially false.

      - -

      When W is activated for the very first time, - this flag gets set to true. It is never set to false during the lifetime of W.

      +

      An unrestricted double) indicating the last + time W got activation notification. The value of T would be + a valid DOMHighResTimeStamp except for two cases: a positive infinity + indicates that W has never been activated, while a negative infinity indicates that + a user activation gated API has consumed the last user activation of W. + Initial value of T is positive infinity.

      -
      The consumable activation flag
      +
      Transient activation duration, δ:
      -

      A boolean value used to implement the transient activation flag. It indicates - whether the user has interacted with W or any of its descendant windows, since the last time an API consumed a user activation. Initially false.

      - -

      Activation consuming APIs, such as window.open(), set the consumable activation flag to - false.

      +

      A user-agent-defined double) constant indicating how long a + user activation is available for certain user activation + gated APIs (e.g., for opening popups). The value of δ should be at most a + few seconds so that the user can possibly perceive the link between an interaction with the page + and the page calling the activation gated API.

      -
      The last activation time
      -
      -

      A timestamp indicating the last time W was activated, used for expiration of the transient activation flag. Initially - null.

      -
      -

      Then, the value of the transient activation flag for W is determined by - the following steps:

      - -
        -

      1. If W's consumable activation flag is false, return false.

        2. +

        These two values infer two Boolean user activation states in W:

        -

      2. Assert: W's last activation time is not null.

        3. +
          +

        • When current high resolution time is greater than or equal to T in + W, W is said to have sticky activation. This is W's + historical activation state, indicates whether the user has ever interacted in W. + This starts with a false value, and changes to true (then never changes back to false) when + W gets the very first activation notification.

          +
          • -
        • -

          If W's last activation time is longer ago than a - user-agent-defined transient activation expiration cutoff, return false.

          +

        • When current high resolution time is greater than or equal to T + and less than T+δ in W, W is said to have transient + activation. This is W's current activation state, indicates whether the user + has interacted in W recently. This starts with a false value, and remains true for a + limited time after every activation notification W gets.

          -

          The transient activation expiration cutoff should be at most a few seconds, so - that the user can possibly perceive the link between an interaction with a page and the page - opening a popup (for example).

          +

          The transient activation state is considered expired if it becomes false because δ time has + elapsed since the last user activation. Note that it can become false even before the expiry + time through activation consumption.

          • -

        • Return true.

          • -
      + -

      When a user interaction in a browsing context activatedBrowsingContext - causes firing of an activation triggering input event - in that context, the user agent must perform the following steps before dispatching the event. These steps are said to activate the relevant Window objects.

      +

      Processing model

      -
        -

      1. Let browsingContexts be a list consisting of - activatedBrowsingContext plus all ancestor - browsing contexts of activatedBrowsingContext.

        2. +

        The user agent updates the user activation data in + each Window object W using two elementary methods:

        -

      2. Let windows be the list of Window objects constructed by, for each - browsingContext of browsingContexts, taking the [[Window]] internal slot - value of browsingContext's WindowProxy object.

        3. +
          +

        • To activate W, the user agent assigns + current high resolution time to T.

          • -
        • -

          For each window of windows:

          +

        • To deactivate W, the user agent + assigns negative infinity to T provided that the old value of T was not + positive infinity.

          • +
        + These methods are used in the following two algorithms: + +
        +
        Activation notification
        +
        +

        When a user interaction in a browsing context B causes firing of an + activation triggering input event in B, + the user agent must perform the following steps before dispatching the event:

          -

        1. Set window's sticky activation flag to true.

          2. +

        2. Let browsingContexts be a list consisting of:

          +
            +

          • B,

            • +

          • all ancestor browsing contexts of + B, and

            • +

          • all the child browsing contexts of + B that have the same origin as B.

            • +
          +
          3. + +

        3. Let windows be the list of Window objects constructed by taking + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext in browsingContexts.

          4. -

        4. Set window's consumable activation flag to true.

          5. +

        5. For each window in windows, + activate window.

          6. -

        6. Set window's last activation time to the current time.

        - -
      + -

      To consume user activation for a Window W, perform the - following steps:

      +
      Activation consumption
      +
      +

      When an activation consuming API is called in Window W, + the user agent must perform the following steps:

      -
        -

      1. If W's browsing context is null, then - return.

        2. +
          +

        1. If W's browsing context is null, then + return.

          2. -

        2. Let top be W's browsing context's - top-level browsing context.

          3. +

        3. Let top be W's browsing context's + top-level browsing context.

          4. -

        4. Let browsingContexts be the list of the descendant browsing - contexts of top's active document.

          5. +

        5. Let browsingContexts be the list of the descendant browsing + contexts of top's active document.

          6. -

        6. Append top to - browsingContexts.

          7. +

        7. Append top to + browsingContexts.

          8. -

        8. Let windows be the list of Window objects constructed by, for each - browsingContext of browsingContexts, taking the [[Window]] internal slot - value of browsingContext's WindowProxy object.

          9. +

        9. Let windows be the list of Window objects constructed by taking + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext of browsingContexts.

          10. -
        10. -

          For each window of windows:

          +

        11. For each window in windows, + deactivate window.

          12. -
            -

          1. Set window's consumable activation flag to false.

          - -
        +
      -

      Note the asymmetry between activation and - consumption from the perspective of the browsing contexts of the page. Activation only sets the - consumable activation flag to true for a browsing context's inclusive ancestors, but - consumption sets the flag to false for both ancestor and descendant browsing contexts. Consuming - the flag in this manner prevents malicious sites from making multiple calls to an activation - consuming API from a single user activation (possibly by exploiting a deep hierarchy of - browsing contexts).

      +
      + +

      Note the asymmetry in the sets of browsing + contexts in the page that are affected by activation notification vs + activation consumption: activation consumption changes (to false) the transient + activation states for all browsing contexts in the page, but activation + notification changes (to true) the states for a subset of those browsing contexts. The exhaustive + nature of consumption here is deliberate: it prevents malicious sites from making multiple calls + to an activation consuming API from a single user activation (possibly by exploiting + a deep hierarchy of iframes).

      -

      APIs gated by user activation

      +

      APIs gated by user activation

      -

      APIs that are dependent on user activation are classified into three different levels. The - levels are as follows, sorted by their "strength of dependence" on user activation (from strongest - to weakest):

      +

      APIs that are dependent on user activation are classified into three different levels. The + levels are as follows, sorted by their "strength of dependence" on user activation (from weakest + to strongest):

      -
      Transient activation-consuming APIs
      - -

      These APIs require the transient activation flag to be true, and they - consume user activation in each call to prevent multiple calls per user - activation.

      +
      Sticky activation-gated APIs
      +

      These APIs require the sticky activation state to be true, so they are blocked + until the very first user activation.

      Transient activation-gated APIs
      +

      These APIs require the transient activation state to be true but don't + consume it, so multiple calls are allowed per user activation until the transient state expires.

      -

      These APIs require the transient activation flag to be true, but don't - consume it, so multiple calls are allowed per user activation until the transient bit expires.

      - -
      Sticky activation-gated APIs
      - -

      These APIs require the sticky activation flag to be true, so they are blocked - until the very first user activation.

      +
      Transient activation-consuming APIs
      +

      These APIs require the transient activation state to be true, and they consume user activation in each call to prevent multiple + calls per user activation.

      @@ -73397,6 +73406,8 @@ END:VCARD
    5. touchend
      6. + +

      Activation behavior of elements

      Certain elements in HTML have an activation behavior, which means that the user @@ -79031,12 +79042,12 @@ console.assert(iframeWindow.frameElement === null); then:

        -

      1. If the transient activation flag is true and A's +

      2. If the transient activation state is true and A's active document's active sandboxing flag set has its sandboxed top-level navigation with user activation browsing context flag set, then return false.

        3. -

      3. Otherwise, if the transient activation flag is false and +

      4. Otherwise, if the transient activation state is false and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then return false.

        5. @@ -79352,7 +79363,7 @@ console.assert(iframeWindow.frameElement === null); applicable option from the following list:

        - @@ -81498,7 +81509,7 @@ interface BarProp {

        This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the transient - activation flag is false.

        + activation state is false.

        When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing @@ -81517,7 +81528,7 @@ interface BarProp {

        This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the transient - activation flag is true.

        + activation state is true.

        As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not @@ -84050,7 +84061,7 @@ interface Location { // but see also For example, there could be a vulnerability in the target software's URL From 62ce5db7f0a2390c8dcc32b085af2970973207ae Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 15 Oct 2019 13:33:32 -0400 Subject: [PATCH 07/15] Fix build failures and typos. --- source | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/source b/source index 3708733cb0c..c4275aea2e0 100644 --- a/source +++ b/source @@ -73232,7 +73232,7 @@ END:VCARD

        Last activation timestamp, T:
        -

        An unrestricted double) indicating the last +

        An unrestricted double indicating the last time W got activation notification. The value of T would be a valid DOMHighResTimeStamp except for two cases: a positive infinity indicates that W has never been activated, while a negative infinity indicates that @@ -73243,7 +73243,7 @@ END:VCARD

        Transient activation duration, δ:
        -

        A user-agent-defined double) constant indicating how long a +

        A user-agent-defined double constant indicating how long a user activation is available for certain user activation gated APIs (e.g., for opening popups). The value of δ should be at most a few seconds so that the user can possibly perceive the link between an interaction with the page @@ -73353,11 +73353,11 @@ END:VCARD

        Note the asymmetry in the sets of browsing contexts in the page that are affected by activation notification vs activation consumption: activation consumption changes (to false) the transient - activation states for all browsing contexts in the page, but activation - notification changes (to true) the states for a subset of those browsing contexts. The exhaustive - nature of consumption here is deliberate: it prevents malicious sites from making multiple calls - to an activation consuming API from a single user activation (possibly by exploiting - a deep hierarchy of iframes).

        + activation states for all browsing contexts in the page, but activation notification + changes (to true) the states for a subset of those browsing contexts. The exhaustive nature of + consumption here is deliberate: it prevents malicious sites from making multiple calls to an + activation consuming API from a single user activation (possibly by exploiting a deep + hierarchy of iframes).

        @@ -73462,7 +73462,6 @@ END:VCARD -

        Focus

        From 2ef13c15ff1e486ba10148c709c18edfdd6b58bd Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 15 Oct 2019 14:23:38 -0400 Subject: [PATCH 08/15] More typos. --- source | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/source b/source index c4275aea2e0..dabe17df778 100644 --- a/source +++ b/source @@ -73226,11 +73226,11 @@ END:VCARD

        Data model

        -

        For the purpose of tracking user activation, the user agent maintains the following two values - for each Window object W:

        +

        For the purpose of tracking user activation, the user agent maintains the following two raw + values for each Window object W:

        -
        Last activation timestamp, T:
        +
        Last activation timestamp, T

        An unrestricted double indicating the last time W got activation notification. The value of T would be @@ -73241,7 +73241,7 @@ END:VCARD Initial value of T is positive infinity.

        -
        Transient activation duration, δ:
        +
        Transient activation duration, δ

        A user-agent-defined double constant indicating how long a user activation is available for certain user activation @@ -73254,17 +73254,19 @@ END:VCARD

        These two values infer two Boolean user activation states in W:

        -
          -

        • When current high resolution time is greater than or equal to T in - W, W is said to have sticky activation. This is W's - historical activation state, indicates whether the user has ever interacted in W. - This starts with a false value, and changes to true (then never changes back to false) when - W gets the very first activation notification.

          -
          • - -

        • When current high resolution time is greater than or equal to T - and less than T+δ in W, W is said to have transient - activation. This is W's current activation state, indicates whether the user +

          +
          Sticky activation
          +

          When current high resolution time is greater than or equal to T in + W, W is said to have sticky activation. This is + W's historical activation state, indicates whether the user has ever interacted in + W. This starts with a false value, and changes to true (then never changes back to + false) when W gets the very first activation notification.

          +
          + +
          Transient activation
          +

          When current high resolution time is greater than or equal to T + and less than T+δ in W, W is said to have transient + activation. This is W's current activation state, indicates whether the user has interacted in W recently. This starts with a false value, and remains true for a limited time after every activation notification W gets.

          @@ -73272,9 +73274,9 @@ END:VCARD data-x="activation-expiry">expired if it becomes false because δ time has elapsed since the last user activation. Note that it can become false even before the expiry time through activation consumption.

          -
          • +
        - +

        Processing model

        From 8cdcd7095afb8c084bc74fe8ccfa5cc9b9049b48 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 29 Oct 2019 11:52:55 -0400 Subject: [PATCH 09/15] annevk's Oct22 comments, pass 1. --- source | 66 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/source b/source index dabe17df778..024acb50816 100644 --- a/source +++ b/source @@ -73219,7 +73219,7 @@ END:VCARD

        To prevent abuse of certain APIs that could be annoying to users (e.g., opening popups or vibrating phones), user agents allow these APIs only when the user is actively interacting with - the web page or has interacted with the page at least once. This "active interaction" state is + the web page or has interacted with the page at least once. This "active interaction" state is maintained through the mechanism mentioned in this section.

        @@ -73233,7 +73233,7 @@ END:VCARD
        Last activation timestamp, T

        An unrestricted double indicating the last - time W got activation notification. The value of T would be + time W got activation notification. The value of T would be a valid DOMHighResTimeStamp except for two cases: a positive infinity indicates that W has never been activated, while a negative infinity indicates that a user activation gated API has

        A user-agent-defined double constant indicating how long a user activation is available for certain user activation - gated APIs (e.g., for opening popups). The value of δ should be at most a - few seconds so that the user can possibly perceive the link between an interaction with the page - and the page calling the activation gated API.

        + gated APIs (e.g., for opening popups).

        -
        +

        The value of Transient activation duration δ + be at most a few seconds so that the user can possibly perceive the link between an interaction + with the page and the page calling the activation gated API.

        +

        These two values infer two Boolean user activation states in W:

        Sticky activation

        When current high resolution time is greater than or equal to T in - W, W is said to have sticky activation. This is + W, W is said to have sticky activation. This is W's historical activation state, indicates whether the user has ever interacted in - W. This starts with a false value, and changes to true (then never changes back to + W. This starts with a false value, and changes to true (then never changes back to false) when W gets the very first activation notification.

        Transient activation

        When current high resolution time is greater than or equal to T and less than T+δ in W, W is said to have transient - activation. This is W's current activation state, indicates whether the user - has interacted in W recently. This starts with a false value, and remains true for a + activation. This is W's current activation state, indicates whether the user + has interacted in W recently. This starts with a false value, and remains true for a limited time after every activation notification W gets.

        The transient activation state is considered expired if it becomes false because δ time has - elapsed since the last user activation. Note that it can become false even before the expiry + elapsed since the last user activation. Note that it can become false even before the expiry time through activation consumption.

        @@ -73281,18 +73282,19 @@ END:VCARD

        Processing model

        The user agent updates the user activation data in - each Window object W using two elementary methods:

        + each Window object W using two elementary algorithms:

        • To activate W, the user agent assigns - current high resolution time to T.

          • + current high resolution time to last activation timestamp + T.

        • To deactivate W, the user agent - assigns negative infinity to T provided that the old value of T was not - positive infinity.

          • + assigns negative infinity to last activation timestamp T provided that + the old value of T was not positive infinity.

        - These methods are used in the following two algorithms: + These two elementary algorithms are used in the following two algorithms:
        Activation notification
        @@ -73307,18 +73309,19 @@ END:VCARD

      5. B,

      6. all ancestor browsing contexts of B, and

        7. +

      7. all the child browsing contexts of - B that have the same origin as B.

        8. + B that have active documents from the same + origin as the active document of B.

      8. Let windows be the list of Window objects constructed by taking - the [[Window]] internal slot value of browsingContext's WindowProxy - object for each browsingContext in browsingContexts.

        9. + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext in browsingContexts.

      9. For each window in windows, - activate window.

        10. - + activate window.

      @@ -73329,24 +73332,23 @@ END:VCARD

      1. If W's browsing context is null, then - return.

        2. + return.

      2. Let top be W's browsing context's - top-level browsing context.

        3. + top-level browsing context.

      3. Let browsingContexts be the list of the descendant browsing - contexts of top's active document.

        4. + contexts of top's active document.

      4. Append top to - browsingContexts.

        5. + browsingContexts.

      5. Let windows be the list of Window objects constructed by taking - the [[Window]] internal slot value of browsingContext's WindowProxy - object for each browsingContext of browsingContexts.

        6. + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext of browsingContexts.

      6. For each window in windows, - deactivate window.

        7. - + deactivate window.

      @@ -73356,7 +73358,7 @@ END:VCARD contexts in the page that are affected by activation notification vs activation consumption: activation consumption changes (to false) the transient activation states for all browsing contexts in the page, but activation notification - changes (to true) the states for a subset of those browsing contexts. The exhaustive nature of + changes (to true) the states for a subset of those browsing contexts. The exhaustive nature of consumption here is deliberate: it prevents malicious sites from making multiple calls to an activation consuming API from a single user activation (possibly by exploiting a deep hierarchy of iframes).

      @@ -73365,7 +73367,7 @@ END:VCARD

      APIs gated by user activation

      -

      APIs that are dependent on user activation are classified into three different levels. The +

      APIs that are dependent on user activation are classified into three different levels. The levels are as follows, sorted by their "strength of dependence" on user activation (from weakest to strongest):

      @@ -73388,7 +73390,7 @@ END:VCARD

      Input events triggering user activation

      -

      The event set is inconsistent across major browsers. See The event set is inconsistent across major browsers. See issue #3849.

      A Window object W is considered activated when W or any From a3d0f0bd72386298860166495e22568b8b2a2e98 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 29 Oct 2019 16:37:19 -0400 Subject: [PATCH 10/15] annevk's Oct22 comments, pass 2: fixing references. --- source | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/source b/source index 024acb50816..35a89dc16ae 100644 --- a/source +++ b/source @@ -30261,7 +30261,7 @@ interface HTMLIFrameElement : HTMLElement { the allow-top-navigation-by-user-activation keyword behaves similarly but allows such navigation only when - the transient activation state is true; and the transient activation; and the allow-forms, allow-modals, allow-orientation-lock, MediaError {

      A media element is said to be allowed to play if the user agent and the system allow media playback in the current context.

      -

      For example, a user agent could allow playback only when the transient - activation state is true, but an exception could be made to allow playback while For example, a user agent could allow playback only when the media + element's Window object has transient activation, but an + exception could be made to allow playback while muted.

      A media element is said to have ended playback when:

      @@ -47892,8 +47893,8 @@ ldh-str = < as defined in Processing model

      The user agent updates the user activation data in @@ -79045,12 +79051,11 @@ console.assert(iframeWindow.frameElement === null); then:

        -

      1. If the transient activation state is true and A's - active document's active sandboxing flag set has its sandboxed - top-level navigation with user activation browsing context flag set, then return - false.

        2. +

      2. If A has transient activation and A's active + document's active sandboxing flag set has its sandboxed top-level + navigation with user activation browsing context flag set, then return false.

        3. -

      3. Otherwise, if the transient activation state is false and +

      4. Otherwise, if A does not have transient activation and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then return false.

        5. @@ -79366,8 +79371,8 @@ console.assert(iframeWindow.frameElement === null); applicable option from the following list:

        -

        The user agent may inform the user that a popup has been blocked.

        @@ -81511,8 +81516,8 @@ interface BarProp {

        This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only when the transient - activation state is false.

        + top-level browsing context. It is consulted only when the sandboxed browsing + context does not have transient activation.

        When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing @@ -81530,8 +81535,8 @@ interface BarProp {

        This flag prevents content from navigating their top-level browsing context and prevents content from closing their - top-level browsing context. It is consulted only when the transient - activation state is true.

        + top-level browsing context. It is consulted only when the sandboxed browsing + context has transient activation.

        As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not @@ -84063,9 +84068,9 @@ interface Location { // but see also For example, there could be a vulnerability in the target software's URL handler which a hostile page would attempt to exploit by tricking a user into clicking a link.

        From 185cda120400b3b3e27335d51c1205dcffb8d9a9 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Thu, 31 Oct 2019 14:03:29 -0400 Subject: [PATCH 11/15] annevk's Oct30 comments. --- source | 82 +++++++++++++++++++++++++++++++--------------------------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/source b/source index 35a89dc16ae..bdca8e9fa47 100644 --- a/source +++ b/source @@ -73231,18 +73231,18 @@ END:VCARD values for each Window object W:

        -
        Last activation timestamp, T
        +
        Last activation timestamp
        -

        An unrestricted double indicating the last - time W got activation notification. The value of T would be - a valid DOMHighResTimeStamp except for two cases: a positive infinity - indicates that W has never been activated, while a negative infinity indicates that - a user activation gated API has consumed the last user activation of W. - Initial value of T is positive infinity.

        +

        An unrestricted double indicating the last time + W got activation notification. This is a valid + DOMHighResTimeStamp except for two cases: a positive infinity + indicates that W has never been activated, while a negative infinity indicates that a + user activation gated API has consumed the last user activation of W. Initial value of + last activation timestamp is positive infinity.

        -
        Transient activation duration, δ
        +
        Transient activation duration

        A user-agent-defined double constant indicating how long a user activation is available for certain user activation @@ -73250,41 +73250,47 @@ END:VCARD

        -

        The value of Transient activation duration δ - be at most a few seconds so that the user can possibly perceive the link between an interaction - with the page and the page calling the activation gated API.

        +

        Transient activation duration is expected be at most a few seconds so + that the user can possibly perceive the link between an interaction with the page and the page + calling the activation gated API.

        -

        These two values infer two Boolean user activation states in W:

        +

        These two values infer two Boolean user activation states in W as well as in the + corresponding browsing context:

        Sticky activation
        -

        When current high resolution time is greater than or equal to T in - W, W is said to have sticky activation. This is - W's historical activation state, indicates whether the user has ever interacted in - W. This starts with a false value, and changes to true (then never changes back to - false) when W gets the very first activation notification.

        +

        When current high resolution time is greater than or equal to last + activation timestamp in W, W is said to have sticky + activation. This is W's historical activation state, indicates whether the + user has ever interacted in W. This starts with a false value, and changes to true + (then never changes back to false) when W gets the very first activation + notification.

        + +

        A browsing context B is said to have sticky activation + if the Window object corresponding to the [[Window]] internal slot value of + B's WindowProxy has sticky activation.

        Transient activation
        -

        When current high resolution time is greater than or equal to T - and less than T+δ in W, W is said to have transient - activation. This is W's current activation state, indicates whether the user - has interacted in W recently. This starts with a false value, and remains true for a - limited time after every activation notification W gets.

        +

        When current high resolution time is greater than or equal to last + activation timestamp, and less than last activation timestamp plus + transient activation duration in W, W is said to have + transient activation. This is W's current activation state, indicates + whether the user has interacted in W recently. This starts with a false value, and + remains true for a limited time after every activation notification W + gets.

        + +

        A browsing context B is said to have transient + activation if the Window object corresponding to the [[Window]] internal + slot value of B's WindowProxy has transient activation.

        The transient activation state is considered expired if it becomes false because δ time has - elapsed since the last user activation. Note that it can become false even before the expiry - time through activation consumption.

        + data-x="activation-expiry">expired if it becomes false because transient activation + duration time has elapsed since the last user activation. Note that it can become false + even before the expiry time through activation consumption.

        -
        -

        The above two states are similarly defined for a browsing context B: B - has sticky (respectively transient) activation if the Window object corresponding to - the [[Window]] internal slot value of B's WindowProxy has sticky - (respectively transient) activation.

        -

        Processing model

        The user agent updates the user activation data in @@ -73292,12 +73298,11 @@ END:VCARD

        • To activate W, the user agent assigns - current high resolution time to last activation timestamp - T.

          • + current high resolution time to last activation timestamp.

        • To deactivate W, the user agent - assigns negative infinity to last activation timestamp T provided that - the old value of T was not positive infinity.

          • + assigns negative infinity to last activation timestamp provided that the old value + of last activation timestamp was not positive infinity.

        These two elementary algorithms are used in the following two algorithms: @@ -73357,9 +73362,11 @@ END:VCARD deactivate window.

      - +

      The spec is not clear about how to traverse a tree of documents. See issue #5020.

      +

      Note the asymmetry in the sets of browsing contexts in the page that are affected by activation notification vs activation consumption: activation consumption changes (to false) the transient @@ -73391,7 +73398,6 @@ END:VCARD

      These APIs require the transient activation state to be true, and they consume user activation in each call to prevent multiple calls per user activation.

      -

      Input events triggering user activation

      From 4bc8b54dfcb519db5eeb0d96fcd0fdd2b5377a41 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Mon, 4 Nov 2019 11:17:01 -0500 Subject: [PATCH 12/15] annevk's Nov4 comments. --- source | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/source b/source index bdca8e9fa47..c8dbbc382f2 100644 --- a/source +++ b/source @@ -73234,11 +73234,11 @@ END:VCARD
      Last activation timestamp

      An unrestricted double indicating the last time - W got activation notification. This is a valid + W got an activation notification. This is a valid DOMHighResTimeStamp except for two cases: a positive infinity indicates that W has never been activated, while a negative infinity indicates that a user activation gated API has consumed the last user activation of W. Initial value of + consumption">consumed the last user activation of W. Initial value of last activation timestamp is positive infinity.

      @@ -73254,7 +73254,7 @@ END:VCARD that the user can possibly perceive the link between an interaction with the page and the page calling the activation gated API.

      -

      These two values infer two Boolean user activation states in W as well as in the +

      These two values infer two boolean user activation states in W as well as in the corresponding browsing context:

      @@ -73287,7 +73287,7 @@ END:VCARD

      The transient activation state is considered expired if it becomes false because transient activation duration time has elapsed since the last user activation. Note that it can become false - even before the expiry time through activation consumption.

      + even before the expiry time through an activation consumption.

      @@ -73305,7 +73305,7 @@ END:VCARD of last activation timestamp was not positive infinity.

      - These two elementary algorithms are used in the following two algorithms: +

      These two elementary algorithms are used in the following two algorithms:

      Activation notification
      @@ -73368,13 +73368,13 @@ END:VCARD href="https://github.com/whatwg/html/issues/5020">issue #5020.

      Note the asymmetry in the sets of browsing - contexts in the page that are affected by activation notification vs - activation consumption: activation consumption changes (to false) the transient - activation states for all browsing contexts in the page, but activation notification - changes (to true) the states for a subset of those browsing contexts. The exhaustive nature of - consumption here is deliberate: it prevents malicious sites from making multiple calls to an - activation consuming API from a single user activation (possibly by exploiting a deep - hierarchy of iframes).

      + contexts in the page that are affected by an activation notification vs an + activation consumption: an activation consumption changes (to false) the + transient activation states for all browsing contexts in the page, but an activation + notification changes (to true) the states for a subset of those browsing contexts. The exhaustive + nature of consumption here is deliberate: it prevents malicious sites from making multiple calls + to an activation consuming API from a single user activation (possibly by exploiting + a deep hierarchy of iframes).

      From 6a37e3493ae2e5d922043f31fad3a05c7ee6c89f Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Mon, 11 Nov 2019 12:58:19 -0500 Subject: [PATCH 13/15] Editorial tweaks and rearrangements --- source | 257 ++++++++++++++++++++++++++------------------------------- 1 file changed, 117 insertions(+), 140 deletions(-) diff --git a/source b/source index c8dbbc382f2..9ef794bc94c 100644 --- a/source +++ b/source @@ -73221,165 +73221,164 @@ END:VCARD

      To prevent abuse of certain APIs that could be annoying to users (e.g., opening popups or vibrating phones), user agents allow these APIs only when the user is actively interacting with the web page or has interacted with the page at least once. This "active interaction" state is - maintained through the mechanism mentioned in this section.

      + maintained through the mechanisms defined in this section.

      Data model

      -

      For the purpose of tracking user activation, the user agent maintains the following two raw - values for each Window object W:

      +

      For the purpose of tracking user activation, each Window W has a + last activation timestamp. This is a number indicating the last time W got + an activation notification. It corresponds to a + DOMHighResTimeStamp value except for two cases: positive infinity + indicates that W has never been activated, while negative infinity indicates that a user activation-gated API has consumed the last user activation of W. The initial value is + positive infinity.

      -
      -
      Last activation timestamp
      -
      -

      An unrestricted double indicating the last time - W got an activation notification. This is a valid - DOMHighResTimeStamp except for two cases: a positive infinity - indicates that W has never been activated, while a negative infinity indicates that a - user activation gated API has consumed the last user activation of W. Initial value of - last activation timestamp is positive infinity.

      -
      - -
      Transient activation duration
      -
      -

      A user-agent-defined double constant indicating how long a - user activation is available for certain user activation - gated APIs (e.g., for opening popups).

      -
      -
      +

      A user agent also defines a transient activation duration, which is a constant + number indicating how long a user activation is available for certain user activation-gated APIs (e.g., for opening popups).

      -

      Transient activation duration is expected be at most a few seconds so - that the user can possibly perceive the link between an interaction with the page and the page - calling the activation gated API.

      +

      The transient activation duration is expected be at most a few + seconds, so that the user can possibly perceive the link between an interaction with the page and + the page calling the activation-gated API.

      -

      These two values infer two boolean user activation states in W as well as in the - corresponding browsing context:

      +

      These two values imply two boolean user activation states for W as well as + W's corresponding browsing context:

      -
      Sticky activation
      -

      When current high resolution time is greater than or equal to last +

      Sticky activation
      +
      +

      When the current high resolution time is greater than or equal to the last activation timestamp in W, W is said to have sticky - activation. This is W's historical activation state, indicates whether the - user has ever interacted in W. This starts with a false value, and changes to true - (then never changes back to false) when W gets the very first activation - notification.

      + activation.

      + +

      This is W's historical activation state, indicating whether the user has ever + interacted in W. It starts false, then changes to true (and never changes back to + false) when W gets the very first activation notification.

      A browsing context B is said to have sticky activation - if the Window object corresponding to the [[Window]] internal slot value of - B's WindowProxy has sticky activation.

      + if B's WindowProxy's [[Window]] value has sticky + activation.

      -
      Transient activation
      -

      When current high resolution time is greater than or equal to last - activation timestamp, and less than last activation timestamp plus - transient activation duration in W, W is said to have - transient activation. This is W's current activation state, indicates - whether the user has interacted in W recently. This starts with a false value, and - remains true for a limited time after every activation notification W - gets.

      +
      Transient activation
      +
      +

      When the current high resolution time is greater than or equal to the last + activation timestamp in W, and less than the last activation + timestamp in W plus the transient activation duration, then + W is said to have transient activation.

      + +

      This is W's current activation state, indicating whether the user has interacted + in W recently. This starts with a false value, and remains true for a limited time + after every activation notification W gets.

      A browsing context B is said to have transient - activation if the Window object corresponding to the [[Window]] internal - slot value of B's WindowProxy has transient activation.

      + activation if B's WindowProxy's [[Window]] value has + transient activation.

      The transient activation state is considered expired if it becomes false because transient activation - duration time has elapsed since the last user activation. Note that it can become false - even before the expiry time through an activation consumption.

      + data-x="activation-expiry">expired if it becomes false because the transient + activation duration time has elapsed since the last user activation. Note that it can + become false even before the expiry time through an activation consumption.

      Processing model

      -

      The user agent updates the user activation data in - each Window object W using two elementary algorithms:

      +

      When a user interaction in a browsing context B causes firing of an + activation triggering input event in B, the user agent must perform the + following activation notification steps before dispatching the event:

      -
        -

      • To activate W, the user agent assigns - current high resolution time to last activation timestamp.

        • +
          +
        1. +

          Let browsingContexts be a list consisting of:

          +
            +

          • B,

            • -

          • To deactivate W, the user agent - assigns negative infinity to last activation timestamp provided that the old value - of last activation timestamp was not positive infinity.

            • -
          +

        2. all ancestor browsing contexts of + B, and

          3. -

          These two elementary algorithms are used in the following two algorithms:

          +

        3. all the child browsing contexts of + B that have active documents whose + origin is the same as that of the active + document of B.

          4. +
      + -
      -
      Activation notification
      -
      -

      When a user interaction in a browsing context B causes firing of an - activation triggering input event in B, - the user agent must perform the following steps before dispatching the event:

      -
        -

      1. Let browsingContexts be a list consisting of:

        -
          -

        • B,

          • -

        • all ancestor browsing contexts of - B, and

          • +

        • Let windows be the list of Window objects constructed by taking + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext in browsingContexts.

          • -

        • all the child browsing contexts of - B that have active documents from the same - origin as the active document of B.

          • -
        -
        2. +

      2. For each window in windows, set + window's last activation timestamp to the current high resolution + time.

        3. +
      -

    6. Let windows be the list of Window objects constructed by taking - the [[Window]] internal slot value of browsingContext's WindowProxy - object for each browsingContext in browsingContexts.

      7. +

      An activation triggering input event is any event whose isTrusted attribute is true and whose type is one of:

      -

    7. For each window in windows, - activate window.

      8. -
    - +
      +
    • change
      • +
    • click
      • +
    • contextmenu
      • +
    • dblclick
      • +
    • mouseup
      • +
    • pointerup
      • +
    • reset
      • +
    • submit
      • +
    • touchend
      • +
    -
    Activation consumption
    -
    -

    When an activation consuming API is called in Window W, - the user agent must perform the following steps:

    +

    The event set is inconsistent across major browsers. See issue #3849.

    -
      -

    1. If W's browsing context is null, then - return.

      2. +

      Activation consuming APIs defined in this and + other specifications can consume user activation by performing the + following steps, given a Window W:

      -

    2. Let top be W's browsing context's - top-level browsing context.

      3. +
        +

      1. If W's browsing context is null, then + return.

        2. -

      2. Let browsingContexts be the list of the descendant browsing - contexts of top's active document.

        3. +

      3. Let top be W's browsing context's + top-level browsing context.

        4. -

      4. Append top to - browsingContexts.

        5. +

      5. Let browsingContexts be the list of the descendant browsing + contexts of top's active document.

        6. -

      6. Let windows be the list of Window objects constructed by taking - the [[Window]] internal slot value of browsingContext's WindowProxy - object for each browsingContext of browsingContexts.

        7. +

      7. Append top to + browsingContexts.

        8. -

      8. For each window in windows, - deactivate window.

        9. -
      -
    - +

  • Let windows be the list of Window objects constructed by taking + the [[Window]] internal slot value of browsingContext's WindowProxy + object for each browsingContext of browsingContexts.

    • + +

  • For each window in windows, if + window's last activation timestamp is not positive infinity, then set + window's last activation timestamp to negative infinity.

    • +

    The spec is not clear about how to traverse a tree of documents. See issue #5020.

    Note the asymmetry in the sets of browsing contexts in the page that are affected by an activation notification vs an - activation consumption: an activation consumption changes (to false) the - transient activation states for all browsing contexts in the page, but an activation - notification changes (to true) the states for a subset of those browsing contexts. The exhaustive - nature of consumption here is deliberate: it prevents malicious sites from making multiple calls - to an activation consuming API from a single user activation (possibly by exploiting - a deep hierarchy of iframes).

    - - + activation consumption: an activation consumption + changes (to false) the transient activation states for all browsing contexts in the + page, but an activation notification changes (to true) the states for a subset of those browsing + contexts. The exhaustive nature of consumption here is deliberate: it prevents malicious sites + from making multiple calls to an activation consuming API from a single user + activation (possibly by exploiting a deep hierarchy of iframes).

    APIs gated by user activation

    + +

    APIs that are dependent on user activation are classified into three different levels. The levels are as follows, sorted by their "strength of dependence" on user activation (from weakest to strongest):

    @@ -73390,38 +73389,16 @@ END:VCARD until the very first user activation.

    Transient activation-gated APIs
    -

    These APIs require the transient activation state to be true but don't - consume it, so multiple calls are allowed per user activation until the transient state expires.

    +

    These APIs require the transient activation state to be true, but they don't + consume it, so multiple calls are allowed per user + activation until the transient state expires.

    Transient activation-consuming APIs
    -

    These APIs require the transient activation state to be true, and they consume user activation in each call to prevent multiple - calls per user activation.

    +

    These APIs require the transient activation state to be true, and they + consume user activation in each call to prevent multiple calls per user + activation.

    -

    Input events triggering user activation

    - -

    The event set is inconsistent across major browsers. See issue #3849.

    - -

    A Window object W is considered activated when W or any - elements of W receives an event whose isTrusted attribute is true and whose type is one of:

    - -
      -
    • change
      • -
    • click
      • -
    • contextmenu
      • -
    • dblclick
      • -
    • mouseup
      • -
    • pointerup
      • -
    • reset
      • -
    • submit
      • -
    • touchend
      • -
    -

    Activation behavior of elements

    From 0eab091644b3d18660be39914d279c48cddcf5b3 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Tue, 26 Nov 2019 14:44:24 -0500 Subject: [PATCH 14/15] Remove activation state of a browsing context, fix same-origin descendants. --- source | 66 ++++++++++++++++++++++++++-------------------------------- 1 file changed, 30 insertions(+), 36 deletions(-) diff --git a/source b/source index 9ef794bc94c..eeb1e8340ec 100644 --- a/source +++ b/source @@ -30260,10 +30260,10 @@ interface HTMLIFrameElement : HTMLElement { keyword allows the content to navigate its top-level browsing context; the allow-top-navigation-by-user-activation - keyword behaves similarly but allows such navigation only when - the browsing context has transient activation; and the allow-forms, allow-modals, navigation only when the + browsing context's WindowProxy's [[Window]] value has transient + activation; and the allow-forms, + allow-modals, allow-orientation-lock, allow-pointer-lock, allow-popups, seconds, so that the user can possibly perceive the link between an interaction with the page and the page calling the activation-gated API.

    -

    These two values imply two boolean user activation states for W as well as - W's corresponding browsing context:

    +

    These two values imply two boolean user activation states for W:

    Sticky activation
    @@ -73257,10 +73256,6 @@ END:VCARD

    This is W's historical activation state, indicating whether the user has ever interacted in W. It starts false, then changes to true (and never changes back to false) when W gets the very first activation notification.

    - -

    A browsing context B is said to have sticky activation - if B's WindowProxy's [[Window]] value has sticky - activation.

    Transient activation
    @@ -73274,10 +73269,6 @@ END:VCARD in W recently. This starts with a false value, and remains true for a limited time after every activation notification W gets.

    -

    A browsing context B is said to have transient - activation if B's WindowProxy's [[Window]] value has - transient activation.

    -

    The transient activation state is considered expired if it becomes false because the transient activation duration time has elapsed since the last user activation. Note that it can @@ -73289,9 +73280,9 @@ END:VCARD

    Processing model

    When a user interaction in a browsing context B causes firing of an - activation triggering input event in B, the user agent must perform the - following activation notification steps before dispatching the event:

    + activation triggering input event in B's active document + D, the user agent must perform the following activation notification steps + before dispatching the event:

    1. @@ -73302,10 +73293,10 @@ END:VCARD

    2. all ancestor browsing contexts of B, and

      3. -

    3. all the child browsing contexts of - B that have active documents whose - origin is the same as that of the active - document of B.

      4. +

    4. all the descendant browsing + contexts of D that have active + documents whose origin is the same as + that of D.

      5. @@ -79034,14 +79025,15 @@ console.assert(iframeWindow.frameElement === null); then:

        -

      1. If A has transient activation and A's active - document's active sandboxing flag set has its sandboxed top-level - navigation with user activation browsing context flag set, then return false.

        2. - -

      2. Otherwise, if A does not have transient activation and - A's active document's active sandboxing flag set has its - sandboxed top-level navigation without user activation browsing context flag set, - then return false.

        3. +

      3. If A's WindowProxy's [[Window]] value has transient + activation and A's active document's active sandboxing + flag set has its sandboxed top-level navigation with user activation browsing + context flag set, then return false.

        4. + +

      4. Otherwise, if A's WindowProxy's [[Window]] value does not have + transient activation and A's active document's + active sandboxing flag set has its sandboxed top-level navigation without + user activation browsing context flag set, then return false.

      @@ -79354,9 +79346,9 @@ console.assert(iframeWindow.frameElement === null); applicable option from the following list:

      - +

      The user agent may inform the user that a popup has been blocked.

      @@ -81500,7 +81492,8 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing - context does not have transient activation.

      + context's WindowProxy's [[Window]] value does not have transient + activation.

      When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing @@ -81519,7 +81512,7 @@ interface BarProp {

      This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing - context has transient activation.

      + context's WindowProxy's [[Window]] value has transient activation.

      As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not @@ -84052,8 +84045,9 @@ interface Location { // but see also For example, there could be a vulnerability in the target software's URL handler which a hostile page would attempt to exploit by tricking a user into clicking a link.

      From e778ead2f91c8e6b2b3e0e81f744c389b2bb79e9 Mon Sep 17 00:00:00 2001 From: Mustaq Ahmed Date: Wed, 4 Dec 2019 11:56:45 -0500 Subject: [PATCH 15/15] Minor rephrasing. --- source | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source b/source index eeb1e8340ec..2026f13127f 100644 --- a/source +++ b/source @@ -73295,8 +73295,7 @@ END:VCARD

    5. all the descendant browsing contexts of D that have active - documents whose origin is the same as - that of D.

      6. + documents from the same origin as that of D.