- From: <bugzilla@jessica.w3.org>
- Date: Fri, 10 Sep 2010 09:36:53 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602 Ian 'Hixie' Hickson <ian@hixie.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #18 from Ian 'Hixie' Hickson <ian@hixie.ch> 2010-09-10 09:36:53 --- EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Partially Accepted Change Description: see diff given below Rationale: autofocus="" is intended to improve the user experience by allowing sites to automatically focus an element without moving the focus when the user is already doing something. It's also intended to make it possible to do this with scripting disabled. So I don't think we should drop it. I've changed the spec to block it when the focus would be going cross-domain, however. I haven't prevented it in the case of a same-origin cross-frame transfer, because if you can inject same-origin frames, you might as well just spoof the whole page and so autofocus isn't especially helpful in mounting an attack. Regarding who dropped the ball (W3C or WHATWG): it was me, and I'm a participant in both groups. I should indeed have considered the implications of this feature in a cross-domain situation. Incidentally, "bubble" in this context usually refers to a particular phase of the DOM events model. Focus is transferred or moved, not bubbled. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Friday, 10 September 2010 09:36:55 UTC