[PEPC] Disable focusing via script

The PEPC element should not be able to focused via the `focus()` function since it can be abused for obtaining unintentional clicks by focusing the element at unexpected times. Change-Id: I1fe10d3315120f03accfc99b518bef971ecd2947 Fixed: 335834885 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5463501 Reviewed-by: Mason Freed <masonf@chromium.org> Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Thomas Nguyen <tungnh@chromium.org> Cr-Commit-Position: refs/heads/main@{#1298585}
web-platform-tests · May 9, 2024 · f65f536 · f65f536
1 parent 5519d8a
commit f65f536
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/html/semantics/permission-element/no-focus.tentative.html b/html/semantics/permission-element/no-focus.tentative.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<link rel="help" href="https://github.com/WICG/PEPC/blob/main/explainer.md#locking-the-pepc-style">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-actions.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+<body>
+<!-- The permission element should not be focusable by script.
+-->
+<permission tabindex="0" id="valid_permission_element" type="geolocation">
+
+<span tabindex="0" id="focusable_span">This is some text</span>
+
+<!-- style needed to allow the invalid element to have a width -->
+<permission style="width: auto; padding-left: 10px" tabindex="0" id="invalid_permission_element" type="invalid">
+
+<script>
+  promise_test(async() => {
+    valid_permission_element.focus();
+    assert_equals(document.activeElement, document.body,
+      "Permission element should not be focused. Instead the parent element gets focus.");
+
+    actions = new test_driver.Actions()
+       .pointerMove(1, 1, {origin: valid_permission_element})
+       .pointerDown()
+       .addTick();
+    await actions.send();
+
+    assert_equals(document.activeElement, valid_permission_element,
+      "Users can still focus the element");
+
+    focusable_span.focus();
+    assert_equals(document.activeElement, focusable_span,
+      "Other element should be focused");
+
+    invalid_permission_element.focus();
+    assert_equals(document.activeElement, focusable_span,
+      "Invalid permission element should not be focused");
+
+    actions = new test_driver.Actions()
+       .pointerMove(1, 1, {origin: invalid_permission_element})
+       .pointerDown()
+       .addTick();
+    await actions.send();
+
+    assert_equals(document.activeElement, document.body,
+      "Invalid permission element should not be focusable even by user.\
+      Instead the parent elements gets focus.");
+}, "Permission element is not focusable by script");
+</script>
+</body>