Re: [compute-pressure] Focus control in privacy test steps (#185)

> > Let’s consider a special case. As shown in the picture, Main frame A embedded iframe B, iframe B embedded iframe C, iframe C embedded iframe D. Main frame A and iframe C are same -origin, iframe B and iframe D are same-origin, but Main frame A and iframe B are cross-origin. According to the spec, If we focus on iframe B, observer in Iframe D can receive PressureRecord, right? Because top-level browsing context has system (system focus is actually per window, so if the iframe has focus, the top-level browsing context will have system focus) and the document (iframe D) is same-origin with focused document (iframe B).
> 
> According to the spec (as it is written right now), only the focused frame (and anyone same origin with it's origin) can receive events. The frame also has to have all its parents having granted permission policy (auto granted for top level frame)

Yes, permission policy has already been considered. If an iframe is not allowed by permission policy, observer in the frame can't call observe() successfully (see [code](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/compute_pressure/pressure_observer.cc;l=78)). 
There are two issues to be determined:
1. Is cross-origin frame allowed to receive events if permission policy granted? (Is iframe C allowed to receive events if we focus on iframe B?)
2. Does it require any parent has the focus? (Is iframe B allowed to receive events if we focus on iframe D?)

-- 
GitHub Notification of comment by wangw-1991
Please view or discuss this issue at https://github.com/w3c/compute-pressure/issues/185#issuecomment-1432372196 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 16 February 2023 02:10:44 UTC