A frame-hierarchy based model to track active user interaction.
This is now part of the HTML spec (see the section on tracking user activation) and has shipped in Chrome 72.
The term user activation means the state of a browsing session with respect to user actions: an "active" state typically implies either the user is currently interacting with the page through some input mechanism (typing, clicking with mouse etc.), or the user has completed some interaction since the page got loaded. (User gesture is a misleading term occasionally used to express the same idea, e.g. "allowing something only with a user gesture", even though a swipe gesture doesn't typically activate a page.)
Browsers control access to "abusable" of APIs through user activation. The most
obvious example of such an API is opening popups through window.open(): when
rogue developers started to abuse the API to open popups arbitrarily, most
(all?) browsers began to block popups when the user is not actively
interacting with the page. Since then, browsers have gradually made many other
APIs dependent on activation (more precisely, made them user activation
gated), like making an element fullscreen, vibrating a mobile device,
autoplaying media etc. To highlight the scope, ~30 different
APIs
in Chrome are user activation gated.
The Web is in a terrible state today in terms of user activation behavior. Because each browser has incrementally added user activation dependence to it's own set of APIs over a course of many years, we see widely divergent behavior among major browsers. For example, pop-blocking behavior is inconsistent among major browsers for all non-trivial cases of user activation.
More importantly, the current HTML spec can't really fix the broken situation in the Web today because it needs to add important details and doesn't fully reflect any current implementation.
User Activation v2 (UAv2) introduces a new user activation model that is simple
enough for cross-browser implementation, and hence calls for a new spec from
scratch as a long term fix for the Web. We prototyped the model in Chromium
behind the flag --enable-features=UserActivationV2 in
M67.
The new model maintains a two-bit user activation state at every window object
in the frame hierarchy:
-
HasSeenUserActivation: This is a sticky bit for the APIs that only needs a signal on historical user activation. The bit gets set on first user action, and is never reset during the lifetime of thewindowobject. Example APIs:<video> autoplayandNavigator.vibrate(). -
HasConsumableUserActivation: This is a transient bit for the APIs that need limited invocation per user interaction. The bit gets set on every user interaction, and is reset either after an expiry time defined by the browser or through a call to an activation-consuming API (e.g.window.open()).
-
Any user interaction in a
windowobject sets the activation bits in thewindowobjects of all ancestor frames (including thewindowbeing interacted with). (See Related Links below for an API to modify this default behavior.) -
Any consumption of the transient bit resets the transient bits in the
windowobjects of the whole frame tree.
In Chromium, the main change introduced by this model is replacing stack-allocated per-process gesture tokens with per-frame states as described above. This effectively:
-
removes the need for token storing/passing/syncing for every user API,
-
changes activation visibility from stack-scoped to frame-scoped, and
-
fuses multiple user interactions within the expiry time interval into a single activation.
For further details on the model and Chromium implementation, see:
Modern browsers already show different levels activation-dependence for activation-aware APIs, and the Web needs a spec for this behavior. The UAv2 model induces a classification of user APIs into three distinct levels, making it easy for any user API to spec its activation-dependence in a concise yet precise manner. The levels are as follows, sorted by their "strength of dependence" on user activation (from strongest to weakest):
-
Transient activation consuming APIs: These APIs require the transient bit, and they consume the bit in each call to prevent multiple calls per user activation. E.g.
window.open()is most (all?) browsers today. -
Transient activation gated APIs: These APIs require the transient bit but don't consume it, so multiple calls are allowed per user activation until the transient bit expires. E.g.
Element.requestFullscreen()in Chromium and other many browsers. -
Sticky activation gated APIs: These APIs require the sticky activation bit, so they are blocked until the very first user activation. E.g.
<video> autoplayandNavigator.vibrate()in Chromium.
Our prototype implementation preserved all the APIs' past behavior in Chromium after a few (mostly minor) changes.
Compare these demos in Chrome 72+ vs. in all other browsers to see why UAv2 makes sense.
-
User activation propagation in the frame tree:
-
Live UAv2 states in the frame tree: Shows live UAv2 state changes across the frame tree. Sorry, works only in Chrome because of this feature.
-
Test activation propagation with popups: Shows how UAv2 states change across the frame tree through user interaction and subsequent consumption through popups.
-
-
Consistent availability of user activation state through API chaining:
-
UAv2 with setTimeouts: Shows consistency through chaining of
setTimeout()calls. -
UAv2 with postMessages to parent: Shows consistency through multiple child-to-parent
postMessage()calls. -
UAv2 with postMessages to child: Shows consistency through multiple parent-to-child
postMessage()calls.
-
-
Activation Transfer through postMessages: An API to allow developers transfer user activation state to any target
windowin the frame tree. -
JS API for querying User Activation states: An API to determine the state of user activation. This is independent but somewhat related to UAv2.
-
Determining activation-defining events: Used for cataloging differences among major browsers in the set of events that define activation.