1. Introduction and Background
-User agents expose powerful features to web sites, like geolocation -or camera access. These features are important to some use cases, but can be -easily abused.To handle this, user agents use permissions to ask the user -whether they wish for a particular access to be allowed or not.
-These permission requests began as a fairly direct passthrough: A site would -ask for some capability and the user agent immediately prompts the user to make -a decision for the request. Meanwhile, spam and abuse have forced user agents -to take a more opinionated approach to protect users' security, privacy, and -attention. The status quo is that users get a multitude of permission requests, -where it’s oftentimes unclear to users what the consequences of these requests -might be.
-This spec introduces a new mechanism that requests and initiates access to
-Geolocation capabilities through in-page elements, with built-in protections
-against abuse. Giving access to the location through in in-page lement wants
-to tie capability activation to the actual context in which it will be used
-, thus reducing "permission spam" and at the same time providing implementations
-with a better signal of user intent.
The later chapters of this specification are careful to build up the required -spec infrastructure to that it can be re-used on other, similarly spirited -elements providing access to other powerful features and their associated -capabilities.
-2. The geolocation Element
- The HTML geolocation element can moderate access to the
-"geolocation" permission and the associated Geolocation
-capabilities.
-
-
- Categories: -
- Flow content.
-
- Phrasing content. -
- Interactive content. -
- Palpable content. -
- Phrasing content. -
- Contexts in which this element can be used: -
- Where phrasing content is expected. -
- Content model: -
- Flow content. -
- Content attributes: -
- Global attributes.
-
- ActivationBlockersMixin attributes. -
- PermissionsMixin attributes. -
autolocate— Whether to locate right away (if permission has already been granted). -watch— Wether to read the position once, or watch it continously. - - ActivationBlockersMixin attributes. -
- Accessibility considerations: -
- See issues below. -
- DOM interface: -
HTMLGeolocationElement-
[WAI-ARIA] specifies roles for in-page content.
- It is yet unclear whether or how the geolocation element fits into
- the existing set of roles.
- Given that this element triggers permission requests, one could argue
- that whatever accessibility concerns apply there should cover this element
- as well. On the other hand, more specialized treatment may lead to better
- support for users.
In § 3.4 Styling, and Styling Restrictions, this specification defines elaborate restrictions on
- how geolocation elements can be rendered. It’s unclear whether there
- need to be similarly spirited restrictions on which ARIA attributes can
- be applied.
The isValid and
-invalidReason, as well as the global
-lang and
-tabindex content attributes, and the
-onpromptaction,
-onpromptdismiss, and
-onvalidationstatuschange event handlers follow the
-description in § 3 Mixins and Infrastructure.
The autolocate attribute determines
-whether the geolocation element should start locating immediately (if
-permission has already been granted).
The watch attribute determine whether
-the geolocation element report the location once or continously.
[-Exposed =Window ] -interface :HTMLGeolocationElement HTMLElement { - [HTMLConstructor ]constructor (); - -readonly attribute GeolocationPosition ?; -position readonly attribute GeolocationPositionError ?; - [error CEReactions ,Reflect ]attribute boolean ; - [autolocate CEReactions ,Reflect ]attribute boolean ; - -watch attribute EventHandler ; -}; -onlocation HTMLGeolocationElement includes ActivationBlockersMixin ; -HTMLGeolocationElement includes PermissionsMixin ; -
If the user has decided to allow access to geolocation information, the
-readonly attributes position and
-error reflect the current
-GeolocationPosition and GeolocationPositionError values, just like
-the PositionCallback and
-PositionErrorCallback callbacks (respectively) would have returned
If the boolean attribute autolocate is true,
-and if the "geolocation" permission has already been granted by
-the user, then the location should be retrieved immediately when the
-geolocation element is attached to the document. If the permission has
-not already been granted at insertion time, then this attribute has no effect.
If the boolean attribute watch
-is set to true, the onlocation event is called
-every time the position changes, matching the behaviour of watchPosition.
When a location is available, an Event is dispatched on the
-onlocation event handler.
-When the event is
-dispatched, the location, or information about a failure to retrieve the
-location, are available in the position or the
-error attributes. Depending on the
-watch element this happens once (if absent or false),
-or continously (if true).
HTMLGeolocationElement wants to mirror the Geolocation interface.
-There is a direct correspondance:
| position - | Result of PositionCallback.
- |
|---|---|
| error - | Result of PositionErrorCallback.
- |
| watch - | Use watchPosition().
- |
| ¬ watch - | Use getCurrentPosition().
- |
The global lang attribute is -observed by the element to select localized text.
-The default value
-for the global tabindex content attribute on the
-element is 0.
2.1. geolocation element internal state
- The geolocation element uses all the internal slots from ActivationBlockersMixin and PermissionsMixin. Additionally,
-geolocation has the following internal slots:
-
-
-
-
A constant
-[[watchIDs]], -which is used with the request a position algorithm. -
-
-[[position]], -which contains the most recentGeolocationPosition. -
-
-[[positionError]], -which contains the most recentGeolocationPositionError.
2.1.1. Mixin-supporting state at the navigable
-In order to support the HTMLGeolocationElement, the navigable maintains
-an ordered set of elements, [[PermissionElements]]. This ordered set is used to evaluate the blockers of type unsuccesful_registration.
2.2. geolocation element algorithms
- HTMLGeolocationElement constructor() steps are:
-
-
- -
-
-
-
Initialize the internal
-[[Features]]to -« "geolocation" ». -
-
Initialize the internal
-[[BlockerList]]to «». -
-
Initialize the internal
-[[LastNotifiedValidState]]with false. -
-
Initialize the internal
-[[LastNotifiedInvalidReason]]with the empty -string. -
-
Initialize the internal
-[[watchIDs]]to « watchID », where -watchID is an implementation-definedunsigned longthat is -greater than zero. -
-
Initialize the internal
-[[position]]to null. -
-
Initialize the internal
-[[positionError]]to null. - - -
HTMLGeolocationElement’s insertion steps are:
-
-
- -
-
-
-
Initialize the internal
-[[BlockerList]]to «». - - -
-
-
Initialize the internal
-[[IntersectionRect]]with undefined. -
-
Initialize the internal
-[[IntersectionObserver]]with the result of -constructing a newIntersectionObserverwith -IntersectionObserver callback and -«[ "rootMargin" →"-4px"]». -
-
Call
-[[IntersectionObserver]].observe(this). -
-
Run
-PermissionsMixin’s insertion steps. -
-
If this is not type permissible, then add a temporary blocker -with
-unsuccesful_registration. -
-
Add an expiring blocker with reason -
-recently_attached. -
-
If the traversable navigable of the node navigable of -this -is a fenced navigable, then add a permanent blocker -with
-illegal_subframe. - - -
- - -
HTMLGeolocationElement element’s activation behavior given event is:
-
-
- -
-
-
-
Assert: element’s
-[[Features]]is not null. -
-
If element’s
-[[Features]]is empty, then return. -
-
If event.
-isTrustedis false, then return. -
-
If element.
-isValidis false, then return. -
-
Let descriptor be the result of build a permission descriptor for -element.
- -
-
Request permission to use the powerful features described by -descriptor.
- -
-
If the previous step was cancelled or dismissed by the user, then -dispatch onpromptdismiss on this and return.
-The [Permissions] spec assumes that request permission to use -will always succeed. That is, it assumes that the user will always make a -choice and that the algorithm will always deliver a
-grant/deny-answer corresponding to that choice. But you can’t force a user to do that. -Some user agents may have different UI affordances for an explicit -denial (e.g. a "deny" button) on one hand, and cancelling or dismissing the -request dialog (e.g. an "X" button in the top right corner). Here, we -distinguish between these two actions, despite no clear hook for this -in the underlying specification. - - -
- - -
position getter steps are to return the value
-of [[position]].
-error getter steps are to return the value of
-[[positionError]].
--
-
-
-
If get the current permission state is not -
-granted, then return. -
-
If
-autolocateis not true, then return. - - -
-
-
-
-
Let positionCallback be a
-PositionCallbackthat performs the following steps:-
-
-
-
Set this’s
-[[positionError]]to undefined. -
-
Set this’s
-[[position]]toPositionCallback’s position -argument. - - -
-
-
-
-
Let errorCallback be a
-PositionErrorCallbackthat performs the following steps:-
-
-
-
Set this’s
-[[position]]to undefined. -
-
Set this’s
-[[positionError]]toPositionCallback’s -positionError argument. - - -
-
-
-
-
Let positionOptions be «[ "
-enableHighAccuracy" → true ]». -
-
Let geolocation be the relevant global object’s
-Geolocation. -
-
-
-
-
-
-
Request a position with geolocation, positionCallback, -errorCallback, positionOptions, and this’s
-[[watchIDs]].
-
-
-
-
Otherwise:
--
-
-
-
Request a position with geolocation, positionCallback, -errorCallback, positionOptions.
-
-
-
-
-
-
-
Assert: element’s node navigable’s
-[[PermissionElements]]-contains element. -
-
Let count be 0.
- -
-
For each current in -element’s node navigable’s
-[[PermissionElements]]:-
-
-
-
If current is element, then break.
- -
-
If element.
-[[Features]]equals current.[[Features]]then increment count by 1.
-
-
-
-
-
Return whether count is less than 3.
-
-
-
-
-
For each current in document’s -
-[[PermissionElements]]:-
-
-
-
If current is type permissible, then remove blockers with -
-unsuccesful_registrationfrom -current.
-
-
-
-
-
-
Let event be a new
-Event. -
-
Initialize event with
-type-"onlocation". -
-
Dispatch event to element.
-
2.3. geolocation element rendering
- The geolocation element is a non-devolvable widget and is chiefly
-rendered like a button. The button label is largely expected to be
-determined by the browser, rather than the page, and reflects its function of given
-access to Geolocation functionality. The element may also convey information about
-the current permission state of the "geolocation" powerful feature.
The page can influence the permission elements' styling, but with
-constraints to prevent abuse (e.g. minimum and maximum sizes for fonts and
-the label itself). These are described in § 3.4 Styling, and Styling Restrictions.
-The page can also select a locale for the text via the lang attribute.
The permission elements support fallback content, which will be -displayed by any browser not yet supporting that element. Note that -there are also conditions under which a browser that supports -a respective permission element falls back to its fallback content.
-3. Mixins and Infrastructure
-This section defines several mixins and supporting algorithms.
-3.1. Activation Blockers
-To support a meaningful user intent signal and to conditionally block element
-activation, you can use the ActivationBlockersMixin
-
-
- Content attributes: -
isValid— query whether the element can currently be activated. -invalidReason— return a string representation of why the element currently cannot be activated. -onvalidationstatuschange— notifies when the validation status changes. -- DOM interface: -
-
-
-interface mixin ActivationBlockersMixin readonly attribute boolean isValid ; -readonly attribute ActivationBlockersMixinBlockerReason invalidReason ; -attribute EventHandler onvalidationstatuschange
The isValid attribute reflects whether the
-element is currently blocked.
The invalidReason attribute is an
-enumerated attribute that informs the caller of the reason why activation
-is currently blocked. If there are multiple reasons, it picks one.
-Its value set is ActivationBlockersMixinBlockerReason.
The following are the event handler (and their corresponding event handler event type) that
-must be supported on elements that include the ActivationBlockersMixin:
| onvalidationstatuschange - | Event - |
|---|
The ActivationBlockersMixin attributes -are:
--
-
- - -
- - -
- - -
3.1.1. Internal state
-ActivationBlockersMixin elements have the following internal slots:
-
-
-
-
The
-[[BlockerList]]is a -list of records, containing a -blocker timestamp and a -blocker reason. The blocker reason is aActivationBlockersMixinBlockerReason, but not the empty string. -
-
-[[LastNotifiedValidState]]-is a boolean that stores the most recently notified state of -isValid. -
-
-[[LastNotifiedInvalidReason]]-is a string that stores the most recently notified state of -invalidReason. -[[LastNotifiedValidState]]and[[LastNotifiedInvalidReason]]are -used to determine whether an -onvalidationstatuschangeevent needs to be -dispatches. -
-
-[[IntersectionObserver]]-is a reference to anIntersectionObserver. -
-
-[[IntersectionRect]]is a -DOMRectReadOnlythat stores the most recently seen intersection, i.e. -the position of the element relative to the viewport.
3.1.2. Action Blockers, Blocker Reasons, and Blocker Lifetimes
-The key goal of the elements in this specification is to reflect a user’s -conscious choice, and we need to make sure the user cannot easily be tricked -into activating it. To do so, we maintain a list of blocker reasons, which may - -permanently or temporarily - prevent the element from being activated.
-Conceptually, a blocker reason is just an arbitrary string identifier. We
-provide an enumeration of its value set. It’s expected that not all users
-of the ActivationBlockersMixin will support all reasons.
-enum { -ActivationBlockersMixinBlockerReason , // No blocker reason. -"" ,"illegal_subframe" , -"unsuccesful_registration" ,"recently_attached" , -"intersection_changed" , -"intersection_out_of_viewport_or_clipped" ,"intersection_occluded_or_distorted" , -"style_invalid" , -}; -"type_invalid"
These blockers come with three lifetimes: Permanent, temporary, and expiring.
--
-
- Permanent blocker -
-
-
Once an element has a permanent blocker, it will be disabled permanently. -There are used for issues that the website owner is expected to fix. -An example is an element inside a
-fencedframe. - Temporary blocker -
-
-
This is a blocker that will only be valid until the blocking condition no -no longer occurs. An example is an element that is not -currently in view. All temporary blockers turn into -expiring blockers once the condition no longer applies.
- - Expiring blocker -
-
-
This is a blocker that is only valid for a fixed period of time. This is -used to block abuse scenarios like "click jacking". An example is -an element that has recently been moved.
-
| Blocker name - - | Blocker type - - | Example condition - - | Order hint - - |
|---|---|---|---|
type_invalid
-
- | permanent - - | When an unsupported permission type has been - set. - - | 1 - - |
illegal_subframe
-
- | permanent - - | When the element is used inside a fencedframe.
-
- | 2 - - |
unsuccesful_registration
-
- | temporary - - | When too many other elements for the same - powerful feature have been inserted into the same document. - - | 3 - - |
recently_attached
-
- | expiring - - | When the element has just been attached to the - DOM. - - | 4 - - |
intersection_changed
-
- | expiring - - | When the element is being moved. - - | 6 - - |
intersection_out_of_viewport_or_clipped
-
- | temporary - - | When the element is not or not fully in the viewport. - - | 7 - - |
intersection_occluded_or_distorted
-
- | temporary - - | When the element is fully in the viewport, - but still not fully visible (e.g. because it’s partly behind other content). - - | 8 - - |
style_invalid
-
- | temporary - - | - | 9 - - |
3.1.3. Algorithms
-ActivationBlockersMixinBlockerReason reason and an optional flag expires:
-
-
- -
-
-
-
Assert: reason is not
-"". -(The empty string inActivationBlockersMixinBlockerReasonsignals no blocker -is present. Why would you add a non-blocking empty string blocker?) -
-
Let timestamp be None.
- -
-
If expires, then let timestamp be current high resolution time -plus the blocker delay.
- -
-
Append an entry to the internal
-[[BlockerList]]-with reason and timestamp.
ActivationBlockersMixinBlockerReason reason:
-
-
- -
-
-
-
Assert: reason is listed as "expiring" in the blocker reason table.
- -
-
Add a blocker with reason and true.
-
ActivationBlockersMixinBlockerReason reason:
-
-
- -
-
-
-
Assert: reason is listed as "temporary" in the blocker reason table.
- -
-
Add a blocker with reason and false.
-
ActivationBlockersMixinBlockerReason reason:
-
-
- -
-
-
-
Assert: reason is listed as "permanent" in the blocker reason table.
- -
-
Add a blocker with reason and false.
-
ActivationBlockersMixinBlockerReason reason from an element:
-
-
- -
-
-
-
Assert: reason is listed as "temporary" in the -blocker reason table.
- -
-
For each entry in element’s
-[[BlockerList]]:-
-
-
-
If entry’s reason equals reason, then remove -entry from element’s
-[[BlockerList]].
-
-
-
-
Add a blocker with reason and true.
-
ActivationBlockersMixin element’s
-blocker:
-
-
- -
-
-
-
Let blockers be the result of sorting element’s
-[[BlockerList]]-with the blocker ordering algorithm. -
-
If blockers is not empty and blockers[0] is blocking, then return blockers[0].
- -
-
Return nothing.
-
-
-
-
-
Let really large number be 99.
- -
-
Assert: No order hint in the blocker reason table is equal to or -greater than really large number.
- -
-
If a is blocking, then let a hint be the -order hint of a’s reason in the -blocker reason table, otherwise let a hint be really large number.
- -
-
If b is blocking, then let b hint be the -order hint of b’s reason in the -blocker reason table, otherwise let b hint be really large number.
- -
-
Return whether a hint is less than or equal to b hint.
-
ActivationBlockersMixin’s blocker list’s entry is
-blocking if:
-
-
- -
-
-
-
entry has no blocker timestamp,
- -
-
or entry has a blocker timestamp, and the blocker timestamp is -greater or equal to the current high resolution time.
-
NOTE: The spec maintains blockers as a list [[BlockerList]], which may
- potentially grow indefinitely (since some blocker types simply expire,
- but are not removed).
- This structure is chosen for the simplicity of explanation, rather than for
- efficiency. The details of this blocker structure are not observable except
- for a handful of algorithms defined here, which should open plenty of
- opportunities for implementations to handle this more efficiently.
ActivationBlockersMixin element’s isValid getter steps are:
-
-
- -
-
-
-
Return whether element’s blocker is Nothing.
-
ActivationBlockersMixin element’s invalidReason getter steps are:
-
-
-
- -
-
-
-
Let oldState be
-[[LastNotifiedValidState]]. -
-
Let newState be whether element’s blocker is Nothing.
- -
-
Set
-[[LastNotifiedValidState]]to newState. -
-
Let oldReason be
-[[LastNotifiedInvalidReason]]. -
-
Let newReason be whether element’s -
-invalidReason. -
-
Set
-[[LastNotifiedInvalidReason]]to newReason. -
-
If oldState != newState or oldReason != newReason, then:
--
-
-
-
Let event be a new
-Event. -
-
Initialize event with -type -"
-onvalidationstatuschange", -bubbles -true, and -cancelable -true. -
-
Dispatch event to element.
-
-
-
ActivationBlockersMixin’s IntersectionObserver callback implements IntersectionObserverCallback and runs the following steps:
-
-
- -
-
-
-
Assert: The
-IntersectionObserver’sroot-is the document -
-
Let entries be the value of the first callback parameter, the -list of
-intersection observer entries. - - -
-
-
Let entry be entries’s last item.
- -
-
If entry.
- -isVisible, then: -
-
Otherwise:
--
-
-
-
If entry.
-intersectionRatio>= 1, then:-
-
-
-
Let reason be
-intersection_occluded_or_distorted.
-
-
-
-
Otherwise:
--
-
-
-
Let reason be
-intersection_out_of_viewport_or_clipped.
-
-
-
-
Add a temporary blocker with reason.
-
-
-
-
-
If
-[[IntersectionRect]]does not equal -entry.intersectionRectthen -add an expiring blocker with -intersection_changed. -
-
Set
-[[IntersectionRect]]to -entry.intersectionRect - - -
3.2. Powerful Features, aka Permissions
-To support elements that gate access to powerful features, you can use the
-PermissionsMixin.
-
-
- DOM interface: -
-
-
-interface mixin PermissionsMixin readonly attribute PermissionState initialPermissionStatus ; -readonly attribute PermissionState permissionStatus ; -attribute EventHandler onpromptaction attribute EventHandler onpromptdismiss
The following are the event handlers (and their corresponding event handler event types) that must be supported on elements that include the PermissionsMixin:
| onpromptaction - | Event - |
|---|---|
| onpromptdismiss - | Event - |
The PermissionsMixin attributes are:
--
-
- - -
- - -
- - -
- - -
3.2.1. Internal state
-The PermissionsMixin represents capabilities gated by user-requestable
-permissions, which the user can activate to allow the site to start accessing them.
-It is core to the these elements that such requests are
-triggered by the user, and not by the page’s script. To enforce
-this, the element checks whether the activation event is trusted. Additionally it watches a number of conditions, like whether the element is
-(partially) occluded, or if it has recently been moved. The element maintains
-an internal [[BlockerList]] to keep track of this.
PermissionsMixin elements have the following internal slots:
-
-
-
-
-[[Features]]is null -or an ordered set of powerful features. For most permission -elements this is likely a fixed set, while for some this may be variable. -Making it an internal slot allows us to write algorithms that work for all -of them. -
-
-[[InitialPermissionStatus]]-is aPermissionStatethat stores the initialPermissionStatefor -[[Features]].
3.2.2. Algorithms
-PermissionsMixin’s initialization steps are:
-
-
- -
-
-
-
Assert: The internal
-[[Features]]slot has been -initialized. The including element must define and initialize this. -
-
Initialize the internal
-[[InitialPermissionStatus]]to -the result of get the current permission state.
PermissionsMixin’s insertion steps are:
-
-
- -
-
-
-
If
-[[Features]]is empty or is null, -then add a permanent blocker -with reasontype_invalid.
PermissionsMixin element’s
-initialPermissionStatus
-getter steps are:
-
-
- -
-
-
-
Return element’s internal
-[[InitialPermissionStatus]].
PermissionsMixin element’s
-permissionStatus
-getter steps are:
-
-
- -
-
-
-
Return get the current permission state for -element.
-
PermissionsMixin element:
-
-
- -
-
-
-
Let features be element’s internal
-[[Features]]. - - -
-
-
Let current be "
-granted". -
-
For each feature of features:
--
-
-
-
Let state be the result of get the current permission state for -feature.
- -
-
Let current be the smaller of current and state, assuming the -following ordering:
-
-"granted" > -"prompt" > -"denied".
-
-
-
-
Return current.
-
It’s not clear what the PermissionState for 'no valid permission type' - should be. Here I pick "prompt" based on Chrome’s implementation; but that - choice is arbitrary.
--
-
-
-
Let event be a new
-Event. -
-
Initialize event with -type -"
-onpromptaction", -bubbles -true, and -cancelable -true. -
-
Dispatch event to element.
-
-
-
-
-
Let event be a new
-Event. -
-
Initialize event with -type -"
-onpromptdismiss", -bubbles -true, and -cancelable -true. -
-
Dispatch event to element.
-
The [Permissions] specification assumes a descriptor describes a
-single permission without parameters (like an equivalent of
-enableHighAccuracy). Here, we assume a permissions model
-that is more expressive. This needs to be resolved -- likely upstream,
-in [Permissions], plus adaptions here.
-
-
-
-
Let result be a new
-PermissionDescriptor. -
-
Fill in result, by including the powerful feature names contained in -element’s
-[[Features]]. -
-
Return result.
-
3.2.3. Presentation
-There isn’t much precedence for describing the user agent UI in detail. - It may be better to leave more freedom to user agents.
-An element using the PermissionsMixin contains browser-chosen content, text and maybe an
-icon. Activating them will often prompt the user to choose.
-This provides two bits of user interface that a user can interact with.
-The user agent is largely free to determine these — rendering of the
-element and the subsequent permission
-prompt — in whichever way it thinks best convey’s the element’s intent.
UI options for the elements' presentation include:
--
-
-
-
Name the powerful features listed in
-[[Features]], in the language -indicated by the language of the element. Note that this would -always be the language indicated by thelangattribute, -if present. -
-
An icon indicating the powerful feature type or types.
- -
-
The current permission state of the powerful feature in questions. -For example, if the permission is already -
-granted, the element might be labeled -as "geolocation already in use". -
-
A modal prompt with a "scrim". -(I.e., darkening out the page behind the prompt.) -This would normally quite disruptive. But here our goal is to ensure a -user means to make this choice.
-
User agents are encouraged to name or describe the powerful features -in a way that’s consistent with similar usage in program or the platform it -is running on.
-Very non-normative examples might be:
--
-
-
-
-<geolocation lang=de>: "Standort verwenden". -
-
-<geolocation watch=true>(in an English language page): "⌖ Track location.". -
-
Upon activiating
-<geolocation>, when the corresponding -permission state isdenied, modify the text to -"Continue blocking".
3.3. Falling Back
-A user agent that does not support a particular element would
-recognize them as HTMLUnknownElement and render their children as
-regular HTML.
-User agents that support such an element should usually
-render the element as described in § 3.4 Styling, and Styling Restrictions, but are still
-required to render the fallback content under one condition:
If the internal [[BlockerList]] contains a record whose
-blocker reason is type_invalid,
-then the element should render the fallback content
-instead of its usual rendering.
3.4. Styling, and Styling Restrictions
-Permission elements constrain the styling that can be applied to them. -These constraints come in three flavours:
--
-
-
-
If the condition isn’t met, the element is deactivated.
- -
-
A user-agent defined stylesheet enforces certain styling.
- -
-
The user-agent enforces bounds on additional styles, where the bounds -cannot be easily expressed in CSS. For example, if the style bounds are -expressed relative to the computed style of the element.
-
3.4.1. Conditions that Deactivate the Element
-If one of these conditions is not met, then a
-temporary blocker is added with type
-style_invalid.
| 'color', 'background-color' - |
-Set by default to the user agent’s default button colors.
-The contrast ratio between the 2 colors needs to be at least 3.
-Alpha has to be 1.
-
- |
|---|---|
| 'font-size' - |
-
-If specified value is expressed as <relative-size>:
-
-
|
3.4.2. User-Agent Defined Stylesheet
-A permission element is expected to render with the following styles:
--@namespace "http://www.w3.org/1999/xhtml" ; -geolocation{ -opacity : 1.0 ; -line-height : normal !important; -whitespace : nowrap !important; -user-select : none !important; -appearance : auto !important; -box-sizing : content-box !important; -vertical-align : middle !important; -text-emphasis : initial !important; -text-shadow : initial !important; -} -
3.4.3. Additional User-Agent Defined Style Bounds
- -Permission elements define several bounds on styles. For example, we want -the font size are constraints on the The style bounds are explained below. - - -For notational convenience, we imagine that the computed value of an element
-could be accessed in CSS rules with computed, just like the
-inherited value of an element can via the inherit keyword.
-Then the following sheet expresses the style bounds:
-@namespace "http://www.w3.org/1999/xhtml" ; -geolocation{ -outline-offset : clamp ( 0 , computed, none); /* No negative outline-offsets. */ - font-weight:clamp ( 200 , computed, none); /* No font-weights below 200. */ - word-spacing:clamp ( 0 , computed, 0.5 em ); /* Word-spacing between 0..0.5em */ - letter-spacing:clamp ( -0.05 em , commputed, 0.2 em ); /* Letter spacing between -0.05..0.2em */ - - min-height:clamp ( 1 em , computed, none); -max-height : clamp ( none, computed, 3 em ); -min-width : clamp ( none, computed, calc ( fit-content)); - -border-width : clamp ( none, computed, 1 em ); - -font-style : if ( computed ="normal" or computed ="italic" , computed, "normal" ); -display : if( computed ="inline-block" or computed ="none" , computed, "inline-block" ); -cursor : if( computed ="pointer" or computed ="not-allowed" , computed, "pointer" ) -} -
Additionally, some rules apply based on conditions not easily expressible as -CSS.
-If height is auto, then apply:
-@namespace "http://www.w3.org/1999/xhtml" ; -geolocation{ -padding-top : clamp ( 1 em , computed, none); -padding-bottom : calc ( padding-top); -} -
If width is auto, then apply:
-@namespace "http://www.w3.org/1999/xhtml" ; -geolocation{ -padding-left : clamp ( none, computed, 5 em ); -padding-right : calc ( padding-left); -} -
Apply the following sheet, if the element does not have all of the following:
--
-
-
-
A border width of at least
-1px, -
-
a color to background-color contrast ratio of at least 3,
- -
-
and alpha of 1.
-
-@namespace "http://www.w3.org/1999/xhtml" ; -geolocation{ -max-width : clamp ( none, computed, calc ( 3 * fit-content)); -} -
The following CSS properties can be used normally:
--
-
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
-
-
border and all -border shorthand properties, -border-top, border-right, border-bottom, border-left
- - - -
- - -
- - -
- - -
- - -
- - -
- - -
-
-
flex and its longhands, flex-grow, flex-shrink, flex-basis
- - - -
- - -
- - -
- - -
- - -
- - -
- - -
-
-
outline and mostly its longhands, -outline-color and outline-style. -
-
Note that outline-offset is clamped by the rules above. - - -
-
-
overscroll-behavior and its -longhands, -overscroll-behavior-inline, overscroll-behavior-block, -overscroll-behavior-x, overscroll-behavior-y
- - - -
- - -
- - -
- - -
-
-
scroll-margin and its longhands, -scroll-margin-top, scroll-margin-right, scroll-marginbottom', -scroll-margin-left
- -
-
scroll-padding and its longhands, -scroll-padding-top, scroll-padding-right, scroll-padding-bottom, -scroll-padding-left, scroll-padding-inline-start, -scroll-padding-block-start, scroll-padding-block-start, -scroll-padding-inline-end, scroll-padding-block-end
- - - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
- - -
Properties that are not listed above, or in the rules in this section, -and aren’t logically equivalent to one of the properties mentioned here, -will be ignored.
-4. Security & Privacy Considerations
-Note: Security & Privacy Considerations can be found -here & -there, -in the Explainer. -This section will eventually contain a specification-worthy transcription -of those Explainer sections.
-