@@ -40,8 +40,9 @@ urlPrefix: https://html.spec.whatwg.org/multipage/; spec: HTML
4040 text: task queue
4141 text: spin the event loop; url: spin-the-event-loop
4242 urlPrefix: interaction.html
43+ text: DOM anchor; url: dom-anchor
4344 text: gains focus; url: gains-focus
44- text: currently focused area; url: currently-focused-area-of-a-top-level-browsing-context
45+ text: currently focused area; url: currently-focused-area-of-a-top-level-traversable
4546urlPrefix: https://w3ctag.github.io/security-questionnaire/; spec: SECURITY-PRIVACY-QUESTIONNAIRE
4647 type: dfn
4748 text: same-origin policy violations; url: sop-violations
@@ -405,12 +406,11 @@ the given [=sensor type=]. See [[PERMISSIONS-POLICY]] for more details.
405406
406407<h4 id="focused-area" oldids="losing-focus">Focused Area</h4>
407408
408- [=Sensor readings=] are only available for [=active documents=] whose
409- origin is [=same origin-domain=] with the [=currently focused area=]
410- document.
409+ [=Sensor readings=] are only available for an [=navigable/active document=] if
410+ the [=focus and origin check=] on it returns true.
411411
412412This is done in order to mitigate the risk of a skimming attack against the
413- [=browsing context =] containing an element which has [=gains focus|gained focus=] ,
413+ [=/navigable =] containing an element which has [=gains focus|gained focus=] ,
414414for example when the user carries out an in-game purchase using a third party
415415payment service from within an iframe.
416416
@@ -749,12 +749,11 @@ The [=reporting frequency=] differs from the {{Sensor}}'s {{Sensor/[[frequency]]
749749
750750## Conditions to expose sensor readings ## {#concepts-can-expose-sensor-readings}
751751
752- The user agent <dfn>can expose sensor readings</dfn> to a given |document| if and only if
753- all of the following are true:
752+ The user agent <dfn>can expose sensor readings</dfn> to a {{Document}}
753+ |document| if and only if all of the following are true:
754754 - |document|'s [=relevant settings object=] is a [=secure context=] .
755755 - |document|'s [=visibility state=] is "visible".
756- - The [=currently focused area=] belongs to a document whose origin is [=same
757- origin-domain=] with |document|'s origin.
756+ - The [=focus and origin check=] on |document| returns true.
758757 - <dfn export>Specific conditions</dfn> : [=Extension specifications=] may add new
759758 conditions to this list to have stricter requirements for their sensor types.
760759
@@ -809,7 +808,7 @@ The current [=browsing context=]'s [=platform sensor=] must have:
809808- An associated [=sensor type=] .
810809
811810Any time a new [=sensor reading=] for a [=platform sensor=] is obtained and if the user agent
812- [=can expose sensor readings=] to the current [=browsing context =] 's [=active document=] ,
811+ [=can expose sensor readings=] to the current [=/navigable =] 's [=navigable/ active document=] ,
813812the user agent invokes [=update latest reading=] with the [=platform sensor=] and
814813the [=sensor reading=] as arguments.
815814
@@ -1560,6 +1559,23 @@ to {{SensorErrorEventInit}}.
15601559 1. Return "granted".
15611560</div>
15621561
1562+ <h3 dfn export>Focus and origin check</h3>
1563+
1564+ <div algorithm="focus and origin check">
1565+
1566+ : input
1567+ :: |document|, a {{Document}} .
1568+ : output
1569+ :: A boolean.
1570+
1571+ 1. Let |origin| be |document|'s [=relevant settings object=]' s [=environment settings object/origin=] .
1572+ 1. Let |focusedDocument| be |document|'s [=node navigable=]' s [=navigable/top-level traversable=] 's
1573+ [=currently focused area=] 's [=DOM anchor=]' s [=node document=] .
1574+ 1. Let |focusedOrigin| be |focusedDocument|'s [=relevant settings object=]' s [=environment settings
1575+ object/origin=] .
1576+ 1. Return true if |origin| and |focusedOrigin| are [=same origin-domain=] , and false otherwise.
1577+ </div>
1578+
15631579<h2 id="automation">Automation</h2>
15641580
15651581The Generic Sensor API and its [=extension specifications=] pose a challenge
0 commit comments