[Meta issue] Fix external references to HTML user activation behavior

[mustaqahmed]

We have just landed the revamped user activation model in the HTML spec, closing #1903 and #3859. It's time to fix other specs that refer to the old activation model. (Note that the PR above fixes the references within the HTML spec.)

We will track the overall progress of the work (in other specs) through this meta-issue. Each of those other specs will still need its own tracking issue; this meta-issue will simply link to the external issues.

---

[Last update: 2021-Apr-15] Here is a task list for external APIs mentioned in this thread below. We will try to keep the list updated (manually) to ease progress tracking:

• Permissions.
• Vibration.
• WebBluetooth.
• WebUSB.
• Clipboard API.
• Payment Request.
• Fullscreen.
• Web NFC.
• WebAudio.
• Web Share.
• Picture-in-picture.
• Media session.
• PointerLock.
• Wake Lock.

[mustaqahmed]

FYI for other spec owners: we will need to rewrite the dependency on user activation using the new classification as a guide.

Here is a quick rule of thumb, but each spec still needs a careful look for corner cases: most other specs we checked refer to the old model using something like "allow the API when triggered by user activation/user gesture"; we will need to replace the phrase with "allow the API when (a specific) Window has transient or sticky user activation". (In a few cases we may also need to add "...then consume the user activation").

Please reach out to us (@domenic or me) for API specific guidance.

[mustaqahmed]

User activation in Permissions API: w3c/permissions#194

[mustaqahmed]

Vibration API: WICG/interventions#47

[mustaqahmed]

WebBluetooth: WebBluetoothCG/web-bluetooth#463

[mustaqahmed]

WebUSB: WICG/webusb#178

[mustaqahmed]

Clipboard API: w3c/clipboard-apis#107

[mustaqahmed]

Payment Request API: w3c/payment-request#883

[marcoscaceres]

Payment Request and Wake Lock API also need guidance 🙏 (sorry for lack of links, on phone). Once I understand a bit more I’ll also be able to help with the updates.

[mustaqahmed]

Fullscreen: whatwg/fullscreen#160

(Edited the issue reference, the old one was about changing a current fullscreen behavior.)

[marcoscaceres]

Just notes as I'm working on updating specs:

• we should probably export "Transient activation-gated APIs"

That would allow other specs to say in the Privacy/Sec sections, "The X API is a [=Transient activation-gated API=]."

Moar thinking out loud, what would have been cool is a WebIDL extended attribute:

interface PaymentRequest {
   [Activation="transient"] Promise show();
};

then the WebIDL can find the Window, do the check, and throw the SecurityError DOMException.

[marcoscaceres]

I think "expired" need to be exported also, no?

I feel like I want to write:

   If the method was not triggered by [=window/transient activation=], 
   or the window [=window/has an expired transient activation=], 
   return [=a promise rejected with=] with a {{"SecurityError"}} {{DOMException}}.

Also, the spec text seems to imply that "transient activation" is always bound to a Window? (i.e., data-for=Window?) Or am I misreading?

[marcoscaceres]

Guidance that should also be provided is the best way to pull the window from the context object.

[marcoscaceres]

Ok, so, might be good to add a note that Editor's don't need to check for "expired"... I definitely think we should provide guidance on getting the Window object from inside a method.

I reached for:

Let |window| be the [=relevant global object=] of the [=environment settings object/responsible document=].

But I'm unsure if that's "best practice"™️.

[beaufortfrancois]

Web NFC: w3c/web-nfc#449

[padenot]

Web Audio API: WebAudio/web-audio-api#2107

[mustaqahmed]

We have collected a set of general tips in this doc: User Activation: Guidance for spec authors.

We will try our best to keep the doc updated if we encounter anything that applies to more than a few specs.

[rakuco]

The Wake Lock spec is being updated in w3c/screen-wake-lock#252