User Activation: siblings are not processed

[CanadaHonk]

What is the issue with the HTML Standard?

Looking at the same-origin propagation WPT, it has a frame tree like this (simplified):

• top
  • child one
  • child two

It clicks child two, then expects child one to be isActive and hasBeenActive too.

The spec user activation processing model states:

2. Let windows be « document's relevant global object ».
3. Extend windows with the active window of each of document's ancestor navigables.
4. Extend windows with the active window of each of document's descendant navigables, filtered to include only those navigables whose active document's origin is same origin with document's origin.
5. For each window in windows, set window's last activation timestamp to the current high resolution time.

It does not state what to do with the elements siblings (seemingly excluding them), yet the WPT expects the sibling of child two (child one) to be activated. Chromium and WebKit appear to follow the WPT behavior and not spec as above, this should probably be corrected in spec by adding same-origin siblings to windows too.

[annevk]

I wonder if instead of all the tree walks we should then just use an origin map on the agent instead.

@arturjanc @johannhof I guess there's an ABA question here as well, but probably not compatible to enforce it here.

[annevk]

So I called out this exact concern in #3851 (comment) (and elsewhere in the thread too). @mustaqahmed can you maybe help clarify what happened here? Same-origin sibling documents were indeed not meant to receive activation, but implementations never got updated and the specification didn't get updated either?

[CanadaHonk]

Looking at this Chromium bug, it seems they want to remove this behavior from their implementation and consider it a bug. Maybe this idea should just be ditched entirely? I can fix WPTs to match current spec.

[annevk]

I worry about compat, but it seems reasonable to update WPT given the state of the specification. However, let's give @mustaqahmed at least until next week to chime in here?

[mustaqahmed]

Thanks for spotting this. Yes we wanted to make Chrome spec complaint but never got a chance to fix it! And then I missed the crack when added the WPT 🤦🏼.

I agree that the compat concerns are real here. I see two ways forward:
A. Update the test to match the spec as @annevk suggested.
B. Rename the test to .tentative and link to this issue.

Let's vote. I am slightly biased towards A.

---

Closely related: User Activation has been proposed as a focus area for Interop 2024: web-platform-tests/interop#428. We need to find a list of WPTs there, and this one is a clear candidate.

[CanadaHonk]

I agree with A too. I've already updated the test in my Gecko patch implementing the API (was going to wait for this issue), so that'll get merged hopefully in the next week or so if everyone is good with that plan.

[arturjanc]

On the narrow, somewhat tangential point about ABA embedding scenarios (same-origin documents with a cross-origin / cross-site ancestor), I think the behavior here is fine from a security/privacy perspective. That is, we are sharing state (activation) across cross-origin ancestors, but this on its own isn't problematic -- the documents can synchronously access and postMessage to each other so this doesn't give them any new capabilities. And because activation is not application state in the same way that e.g. cookies or local storage are, it doesn't seem like the cross-origin ancestor (B) would be able to do anything malicious to leak / affect state from its descendant frame.

Security-wise it would also be okay to propagate the activation to siblings, but I agree that it would be somewhat awkward -- the proposed approach of making the WPT match the spec sounds reasonable to me.