[Bug 9602] Autofocus attribute. from bugzilla@jessica.w3.org on 2010-09-10 (public-html-bugzilla@w3.org from September 2010)

From: <bugzilla@jessica.w3.org>
Date: Fri, 10 Sep 2010 09:36:53 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Ou02P-00071g-RE@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602


Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #18 from Ian 'Hixie' Hickson <ian@hixie.ch>  2010-09-10 09:36:53 ---
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are
satisfied with this response, please change the state of this bug to CLOSED. If
you have additional information and would like the editor to reconsider, please
reopen this bug. If you would like to escalate the issue to the full HTML
Working Group, please add the TrackerRequest keyword to this bug, and suggest
title and text for the tracker issue; or you may create a tracker issue
yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Partially Accepted
Change Description: see diff given below
Rationale:

autofocus="" is intended to improve the user experience by allowing sites to
automatically focus an element without moving the focus when the user is
already doing something. It's also intended to make it possible to do this with
scripting disabled. So I don't think we should drop it.

I've changed the spec to block it when the focus would be going cross-domain,
however. I haven't prevented it in the case of a same-origin cross-frame
transfer, because if you can inject same-origin frames, you might as well just
spoof the whole page and so autofocus isn't especially helpful in mounting an
attack.

Regarding who dropped the ball (W3C or WHATWG): it was me, and I'm a
participant in both groups. I should indeed have considered the implications of
this feature in a cross-domain situation.

Incidentally, "bubble" in this context usually refers to a particular phase of
the DOM events model. Focus is transferred or moved, not bubbled.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Friday, 10 September 2010 09:36:55 UTC