1. Introduction and Background
+User agents expose powerful features to web sites, like geolocation +or camera access. These features are important to some use cases, but can be +easily abused.To handle this, user agents use permissions to ask the user +whether they wish for a particular access to be allowed or not.
+These permission requests began as a fairly direct passthrough: A site would +ask for some capability and the user agent immediately prompts the user to make +a decision for the request. Meanwhile, spam and abuse have forced user agents +to take a more opinionated approach to protect users' security, privacy, and +attention. The status quo is that users get a multitude of permission requests, +where it’s oftentimes unclear to users what the consequences of these requests +might be.
+This spec introduces a new mechanism that requests and initiates access to
+Geolocation capabilities through in-page elements, with built-in protections
+against abuse. Giving access to the location through in in-page lement wants
+to tie capability activation to the actual context in which it will be used
+, thus reducing "permission spam" and at the same time providing implementations
+with a better signal of user intent.
The later chapters of this specification are careful to build up the required +spec infrastructure to that it can be re-used on other, similarly spirited +elements providing access to other powerful features and their associated +capabilities.
+2. The geolocation Element
+ The HTML geolocation element can moderate access to the
+"geolocation" permission and the associated Geolocation
+capabilities.
-
+
- Categories: +
- Flow content.
+
- Phrasing content. +
- Interactive content. +
- Palpable content. +
- Phrasing content. +
- Contexts in which this element can be used: +
- Where phrasing content is expected. +
- Content model: +
- Flow content. +
- Content attributes: +
- Global attributes.
+
- ActivationBlockersMixin attributes. +
- PermissionsMixin attributes. +
autolocate— Whether to locate right away (if permission has already been granted). +watch— Wether to read the position once, or watch it continously. + - ActivationBlockersMixin attributes. +
- Accessibility considerations: +
- See issues below. +
- DOM interface: +
HTMLGeolocationElement+
[WAI-ARIA] specifies roles for in-page content.
+ It is yet unclear whether or how the geolocation element fits into
+ the existing set of roles.
+ Given that this element triggers permission requests, one could argue
+ that whatever accessibility concerns apply there should cover this element
+ as well. On the other hand, more specialized treatment may lead to better
+ support for users.
In § 3.4 Styling, and Styling Restrictions, this specification defines elaborate restrictions on
+ how geolocation elements can be rendered. It’s unclear whether there
+ need to be similarly spirited restrictions on which ARIA attributes can
+ be applied.
The isValid and
+invalidReason, as well as the global
+lang and
+tabindex content attributes, and the
+onpromptaction,
+onpromptdismiss, and
+onvalidationstatuschange event handlers follow the
+description in § 3 Mixins and Infrastructure.
The autolocate attribute determines
+whether the geolocation element should start locating immediately (if
+permission has already been granted).
The watch attribute determine whether
+the geolocation element report the location once or continously.
[+Exposed =Window ] +interface :HTMLGeolocationElement HTMLElement { + [HTMLConstructor ]constructor (); + +readonly attribute GeolocationPosition ?; +position readonly attribute GeolocationPositionError ?; + [error CEReactions ,Reflect ]attribute boolean ; + [autolocate CEReactions ,Reflect ]attribute boolean ; + +watch attribute EventHandler ; +}; +onlocation HTMLGeolocationElement includes ActivationBlockersMixin ; +HTMLGeolocationElement includes PermissionsMixin ; +
If the user has decided to allow access to geolocation information, the
+readonly attributes position and
+error reflect the current
+GeolocationPosition and GeolocationPositionError values, just like
+the PositionCallback and
+PositionErrorCallback callbacks (respectively) would have returned
If the boolean attribute autolocate is true,
+and if the "geolocation" permission has already been granted by
+the user, then the location should be retrieved immediately when the
+geolocation element is attached to the document. If the permission has
+not already been granted at insertion time, then this attribute has no effect.
If the boolean attribute watch
+is set to true, the onlocation event is called
+every time the position changes, matching the behaviour of watchPosition.
When a location is available, an Event is dispatched on the
+onlocation event handler.
+When the event is
+dispatched, the location, or information about a failure to retrieve the
+location, are available in the position or the
+error attributes. Depending on the
+watch element this happens once (if absent or false),
+or continously (if true).
HTMLGeolocationElement wants to mirror the Geolocation interface.
+There is a direct correspondance:
| position + | Result of PositionCallback.
+ |
|---|---|
| error + | Result of PositionErrorCallback.
+ |
| watch + | Use watchPosition().
+ |
| ¬ watch + | Use getCurrentPosition().
+ |
The global lang attribute is +observed by the element to select localized text.
+The default value
+for the global tabindex content attribute on the
+element is 0.
2.1. geolocation element internal state
+ The geolocation element uses all the internal slots from ActivationBlockersMixin and PermissionsMixin. Additionally,
+geolocation has the following internal slots:
-
+
-
+
A constant
+[[watchIDs]], +which is used with the request a position algorithm. -
+
+[[position]], +which contains the most recentGeolocationPosition. -
+
+[[positionError]], +which contains the most recentGeolocationPositionError.
2.1.1. Mixin-supporting state at the navigable
+In order to support the HTMLGeolocationElement, the navigable maintains
+an ordered set of elements, [[PermissionElements]]. This ordered set is used to evaluate the blockers of type unsuccesful_registration.
2.2. geolocation element algorithms
+ HTMLGeolocationElement constructor() steps are:
+
+
+ -
+
-
+
Initialize the internal
+[[Features]]to +« "geolocation" ». -
+
Initialize the internal
+[[BlockerList]]to «». -
+
Initialize the internal
+[[LastNotifiedValidState]]with false. -
+
Initialize the internal
+[[LastNotifiedInvalidReason]]with the empty +string. -
+
Initialize the internal
+[[watchIDs]]to « watchID », where +watchID is an implementation-definedunsigned longthat is +greater than zero. -
+
Initialize the internal
+[[position]]to null. -
+
Initialize the internal
+[[positionError]]to null. - + +
HTMLGeolocationElement’s insertion steps are:
+
+
+ -
+
-
+
Initialize the internal
+[[BlockerList]]to «». - + +
-
+
Initialize the internal
+[[IntersectionRect]]with undefined. -
+
Initialize the internal
+[[IntersectionObserver]]with the result of +constructing a newIntersectionObserverwith +IntersectionObserver callback and +«[ "rootMargin" →"-4px"]». -
+
Call
+[[IntersectionObserver]].observe(this). -
+
Run
+PermissionsMixin’s insertion steps. -
+
If this is not type permissible, then add a temporary blocker +with
+unsuccesful_registration. -
+
Add an expiring blocker with reason +
+recently_attached. -
+
If the traversable navigable of the node navigable of +this +is a fenced navigable, then add a permanent blocker +with
+illegal_subframe. - + +
- + +
HTMLGeolocationElement element’s activation behavior given event is:
+
+
+ -
+
-
+
Assert: element’s
+[[Features]]is not null. -
+
If element’s
+[[Features]]is empty, then return. -
+
If event.
+isTrustedis false, then return. -
+
If element.
+isValidis false, then return. -
+
Let descriptor be the result of build a permission descriptor for +element.
+ -
+
Request permission to use the powerful features described by +descriptor.
+ -
+
If the previous step was cancelled or dismissed by the user, then +dispatch onpromptdismiss on this and return.
+The [Permissions] spec assumes that request permission to use +will always succeed. That is, it assumes that the user will always make a +choice and that the algorithm will always deliver a
+grant/deny+answer corresponding to that choice. But you can’t force a user to do that. +Some user agents may have different UI affordances for an explicit +denial (e.g. a "deny" button) on one hand, and cancelling or dismissing the +request dialog (e.g. an "X" button in the top right corner). Here, we +distinguish between these two actions, despite no clear hook for this +in the underlying specification. - + +
- + +
position getter steps are to return the value
+of [[position]].
+error getter steps are to return the value of
+[[positionError]].
+-
+
-
+
If get the current permission state is not +
+granted, then return. -
+
If
+autolocateis not true, then return. - + +
-
+
-
+
Let positionCallback be a
+PositionCallbackthat performs the following steps:-
+
-
+
Set this’s
+[[positionError]]to undefined. -
+
Set this’s
+[[position]]toPositionCallback’s position +argument. - + +
-
+
-
+
Let errorCallback be a
+PositionErrorCallbackthat performs the following steps:-
+
-
+
Set this’s
+[[position]]to undefined. -
+
Set this’s
+[[positionError]]toPositionCallback’s +positionError argument. - + +
-
+
-
+
Let positionOptions be «[]»
+ -
+
Let geolocation be the relevant global object’s
+Geolocation. -
+
+
-
+
-
+
Request a position with geolocation, positionCallback, +errorCallback, positionOptions, and this’s
+[[watchIDs]].
-
+
-
+
Otherwise:
+-
+
-
+
Request a position with geolocation, positionCallback, +errorCallback, positionOptions.
+
-
+
-
+
-
+
Assert: element’s node navigable’s
+[[PermissionElements]]+contains element. -
+
Let count be 0.
+ -
+
For each current in +element’s node navigable’s
+[[PermissionElements]]:-
+
-
+
If current is element, then break.
+ -
+
If element.
+[[Features]]equals current.[[Features]]then increment count by 1.
+
-
+
-
+
Return whether count is less than 3.
+
-
+
-
+
For each current in document’s +
+[[PermissionElements]]:-
+
-
+
If current is type permissible, then remove blockers with +
+unsuccesful_registrationfrom +current.
-
+
-
+
-
+
Let event be a new
+Event. -
+
Initialize event with
+type+"onlocation". -
+
Dispatch event to element.
+
2.3. geolocation element rendering
+ The geolocation element is a non-devolvable widget and is chiefly
+rendered like a button. The button label is largely expected to be
+determined by the browser, rather than the page, and reflects its function of given
+access to Geolocation functionality. The element may also convey information about
+the current permission state of the "geolocation" powerful feature.
The page can influence the permission elements' styling, but with
+constraints to prevent abuse (e.g. minimum and maximum sizes for fonts and
+the label itself). These are described in § 3.4 Styling, and Styling Restrictions.
+The page can also select a locale for the text via the lang attribute.
The permission elements support fallback content, which will be +displayed by any browser not yet supporting that element. Note that +there are also conditions under which a browser that supports +a respective permission element falls back to its fallback content.
+3. Mixins and Infrastructure
+This section defines several mixins and supporting algorithms.
+3.1. Activation Blockers
+To support a meaningful user intent signal and to conditionally block element
+activation, you can use the ActivationBlockersMixin
-
+
- Content attributes: +
isValid— query whether the element can currently be activated. +invalidReason— return a string representation of why the element currently cannot be activated. +onvalidationstatuschange— notifies when the validation status changes. +- DOM interface: +
-
+
+interface mixin ActivationBlockersMixin readonly attribute boolean isValid ; +readonly attribute ActivationBlockersMixinBlockerReason invalidReason ; +attribute EventHandler onvalidationstatuschange
The isValid attribute reflects whether the
+element is currently blocked.
The invalidReason attribute is an
+enumerated attribute that informs the caller of the reason why activation
+is currently blocked. If there are multiple reasons, it picks one.
+Its value set is ActivationBlockersMixinBlockerReason.
The following are the event handler (and their corresponding event handler event type) that
+must be supported on elements that include the ActivationBlockersMixin:
| onvalidationstatuschange + | Event + |
|---|
The ActivationBlockersMixin attributes +are:
+-
+
- + +
- + +
- + +
3.1.1. Internal state
+ActivationBlockersMixin elements have the following internal slots:
-
+
-
+
The
+[[BlockerList]]is a +list of records, containing a +blocker timestamp and a +blocker reason. The blocker reason is aActivationBlockersMixinBlockerReason, but not the empty string. -
+
+[[LastNotifiedValidState]]+is a boolean that stores the most recently notified state of +isValid. -
+
+[[LastNotifiedInvalidReason]]+is a string that stores the most recently notified state of +invalidReason. +[[LastNotifiedValidState]]and[[LastNotifiedInvalidReason]]are +used to determine whether an +onvalidationstatuschangeevent needs to be +dispatches. -
+
+[[IntersectionObserver]]+is a reference to anIntersectionObserver. -
+
+[[IntersectionRect]]is a +DOMRectReadOnlythat stores the most recently seen intersection, i.e. +the position of the element relative to the viewport.
3.1.2. Action Blockers, Blocker Reasons, and Blocker Lifetimes
+The key goal of the elements in this specification is to reflect a user’s +conscious choice, and we need to make sure the user cannot easily be tricked +into activating it. To do so, we maintain a list of blocker reasons, which may - +permanently or temporarily - prevent the element from being activated.
+Conceptually, a blocker reason is just an arbitrary string identifier. We
+provide an enumeration of its value set. It’s expected that not all users
+of the ActivationBlockersMixin will support all reasons.
+enum { +ActivationBlockersMixinBlockerReason , // No blocker reason. +"" ,"illegal_subframe" , +"unsuccesful_registration" ,"recently_attached" , +"intersection_changed" , +"intersection_out_of_viewport_or_clipped" ,"intersection_occluded_or_distorted" , +"style_invalid" , +}; +"type_invalid"
These blockers come with three lifetimes: Permanent, temporary, and expiring.
+-
+
- Permanent blocker +
-
+
Once an element has a permanent blocker, it will be disabled permanently. +There are used for issues that the website owner is expected to fix. +An example is an element inside a
+fencedframe. - Temporary blocker +
-
+
This is a blocker that will only be valid until the blocking condition no +no longer occurs. An example is an element that is not +currently in view. All temporary blockers turn into +expiring blockers once the condition no longer applies.
+ - Expiring blocker +
-
+
This is a blocker that is only valid for a fixed period of time. This is +used to block abuse scenarios like "click jacking". An example is +an element that has recently been moved.
+
| Blocker name + + | Blocker type + + | Example condition + + | Order hint + + |
|---|---|---|---|
type_invalid
+
+ | permanent + + | When an unsupported permission type has been + set. + + | 1 + + |
illegal_subframe
+
+ | permanent + + | When the element is used inside a fencedframe.
+
+ | 2 + + |
unsuccesful_registration
+
+ | temporary + + | When too many other elements for the same + powerful feature have been inserted into the same document. + + | 3 + + |
recently_attached
+
+ | expiring + + | When the element has just been attached to the + DOM. + + | 4 + + |
intersection_changed
+
+ | expiring + + | When the element is being moved. + + | 6 + + |
intersection_out_of_viewport_or_clipped
+
+ | temporary + + | When the element is not or not fully in the viewport. + + | 7 + + |
intersection_occluded_or_distorted
+
+ | temporary + + | When the element is fully in the viewport, + but still not fully visible (e.g. because it’s partly behind other content). + + | 8 + + |
style_invalid
+
+ | temporary + + | + | 9 + + |
3.1.3. Algorithms
+ActivationBlockersMixinBlockerReason reason and an optional flag expires:
+
+
+ -
+
-
+
Assert: reason is not
+"". +(The empty string inActivationBlockersMixinBlockerReasonsignals no blocker +is present. Why would you add a non-blocking empty string blocker?) -
+
Let timestamp be None.
+ -
+
If expires, then let timestamp be current high resolution time +plus the blocker delay.
+ -
+
Append an entry to the internal
+[[BlockerList]]+with reason and timestamp.
ActivationBlockersMixinBlockerReason reason:
+
+
+ -
+
-
+
Assert: reason is listed as "expiring" in the blocker reason table.
+ -
+
Add a blocker with reason and true.
+
ActivationBlockersMixinBlockerReason reason:
+
+
+ -
+
-
+
Assert: reason is listed as "temporary" in the blocker reason table.
+ -
+
Add a blocker with reason and false.
+
ActivationBlockersMixinBlockerReason reason:
+
+
+ -
+
-
+
Assert: reason is listed as "permanent" in the blocker reason table.
+ -
+
Add a blocker with reason and false.
+
ActivationBlockersMixinBlockerReason reason from an element:
+
+
+ -
+
-
+
Assert: reason is listed as "temporary" in the +blocker reason table.
+ -
+
For each entry in element’s
+[[BlockerList]]:-
+
-
+
If entry’s reason equals reason, then remove +entry from element’s
+[[BlockerList]].
-
+
-
+
Add a blocker with reason and true.
+
ActivationBlockersMixin element’s
+blocker:
+
+
+ -
+
-
+
Let blockers be the result of sorting element’s
+[[BlockerList]]+with the blocker ordering algorithm. -
+
If blockers is not empty and blockers[0] is blocking, then return blockers[0].
+ -
+
Return nothing.
+
-
+
-
+
Let really large number be 99.
+ -
+
Assert: No order hint in the blocker reason table is equal to or +greater than really large number.
+ -
+
If a is blocking, then let a hint be the +order hint of a’s reason in the +blocker reason table, otherwise let a hint be really large number.
+ -
+
If b is blocking, then let b hint be the +order hint of b’s reason in the +blocker reason table, otherwise let b hint be really large number.
+ -
+
Return whether a hint is less than or equal to b hint.
+
ActivationBlockersMixin’s blocker list’s entry is
+blocking if:
+
+
+ -
+
-
+
entry has no blocker timestamp,
+ -
+
or entry has a blocker timestamp, and the blocker timestamp is +greater or equal to the current high resolution time.
+
NOTE: The spec maintains blockers as a list [[BlockerList]], which may
+ potentially grow indefinitely (since some blocker types simply expire,
+ but are not removed).
+ This structure is chosen for the simplicity of explanation, rather than for
+ efficiency. The details of this blocker structure are not observable except
+ for a handful of algorithms defined here, which should open plenty of
+ opportunities for implementations to handle this more efficiently.
ActivationBlockersMixin element’s isValid getter steps are:
+
+
+ -
+
-
+
Return whether element’s blocker is Nothing.
+
ActivationBlockersMixin element’s invalidReason getter steps are:
+
+
+
+ -
+
-
+
Let oldState be
+[[LastNotifiedValidState]]. -
+
Let newState be whether element’s blocker is Nothing.
+ -
+
Set
+[[LastNotifiedValidState]]to newState. -
+
Let oldReason be
+[[LastNotifiedInvalidReason]]. -
+
Let newReason be whether element’s +
+invalidReason. -
+
Set
+[[LastNotifiedInvalidReason]]to newReason. -
+
If oldState != newState or oldReason != newReason, then:
+-
+
-
+
Let event be a new
+Event. -
+
Initialize event with +type +"
+onvalidationstatuschange", +bubbles +true, and +cancelable +true. -
+
Dispatch event to element.
+
-
+
ActivationBlockersMixin’s IntersectionObserver callback implements IntersectionObserverCallback and runs the following steps:
+
+
+ -
+
-
+
Assert: The
+IntersectionObserver’sroot+is the document -
+
Let entries be the value of the first callback parameter, the +list of
+intersection observer entries. - + +
-
+
Let entry be entries’s last item.
+ -
+
If entry.
+ +isVisible, then: -
+
Otherwise:
+-
+
-
+
If entry.
+intersectionRatio>= 1, then:-
+
-
+
Let reason be
+intersection_occluded_or_distorted.
-
+
-
+
Otherwise:
+-
+
-
+
Let reason be
+intersection_out_of_viewport_or_clipped.
-
+
-
+
Add a temporary blocker with reason.
+
-
+
-
+
If
+[[IntersectionRect]]does not equal +entry.intersectionRectthen +add an expiring blocker with +intersection_changed. -
+
Set
+[[IntersectionRect]]to +entry.intersectionRect - + +
3.2. Powerful Features, aka Permissions
+To support elements that gate access to powerful features, you can use the
+PermissionsMixin.
-
+
- DOM interface: +
-
+
+interface mixin PermissionsMixin readonly attribute PermissionState initialPermissionStatus ; +readonly attribute PermissionState permissionStatus ; +attribute EventHandler onpromptaction attribute EventHandler onpromptdismiss
The following are the event handlers (and their corresponding event handler event types) that must be supported on elements that include the PermissionsMixin:
| onpromptaction + | Event + |
|---|---|
| onpromptdismiss + | Event + |
The PermissionsMixin attributes are:
+-
+
- + +
- + +
- + +
- + +
3.2.1. Internal state
+The PermissionsMixin represents capabilities gated by user-requestable
+permissions, which the user can activate to allow the site to start accessing them.
+It is core to the these elements that such requests are
+triggered by the user, and not by the page’s script. To enforce
+this, the element checks whether the activation event is trusted. Additionally it watches a number of conditions, like whether the element is
+(partially) occluded, or if it has recently been moved. The element maintains
+an internal [[BlockerList]] to keep track of this.
PermissionsMixin elements have the following internal slots:
-
+
-
+
+[[Features]]is null +or an ordered set of powerful features. For most permission +elements this is likely a fixed set, while for some this may be variable. +Making it an internal slot allows us to write algorithms that work for all +of them. -
+
+[[InitialPermissionStatus]]+is aPermissionStatethat stores the initialPermissionStatefor +[[Features]].
3.2.2. Algorithms
+PermissionsMixin’s initialization steps are:
+
+
+ -
+
-
+
Assert: The internal
+[[Features]]slot has been +initialized. The including element must define and initialize this. -
+
Initialize the internal
+[[InitialPermissionStatus]]to +the result of get the current permission state.
PermissionsMixin’s insertion steps are:
+
+
+ -
+
-
+
If
+[[Features]]is empty or is null, +then add a permanent blocker +with reasontype_invalid.
PermissionsMixin element’s
+initialPermissionStatus
+getter steps are:
+
+
+ -
+
-
+
Return element’s internal
+[[InitialPermissionStatus]].
PermissionsMixin element’s
+permissionStatus
+getter steps are:
+
+
+ -
+
-
+
Return get the current permission state for +element.
+
PermissionsMixin element:
+
+
+ -
+
-
+
Let features be element’s internal
+[[Features]]. - + +
-
+
Let current be "
+granted". -
+
For each feature of features:
+-
+
-
+
Let state be the result of get the current permission state for +feature.
+ -
+
Let current be the smaller of current and state, assuming the +following ordering:
+
+"granted" > +"prompt" > +"denied".
-
+
-
+
Return current.
+
It’s not clear what the PermissionState for 'no valid permission type' + should be. Here I pick "prompt" based on Chrome’s implementation; but that + choice is arbitrary.
+-
+
-
+
Let event be a new
+Event. -
+
Initialize event with +type +"
+onpromptaction", +bubbles +true, and +cancelable +true. -
+
Dispatch event to element.
+
-
+
-
+
Let event be a new
+Event. -
+
Initialize event with +type +"
+onpromptdismiss", +bubbles +true, and +cancelable +true. -
+
Dispatch event to element.
+
The [Permissions] specification assumes a descriptor describes a
+single permission without parameters (like an equivalent of
+enableHighAccuracy). Here, we assume a permissions model
+that is more expressive. This needs to be resolved -- likely upstream,
+in [Permissions], plus adaptions here.
-
+
-
+
Let result be a new
+PermissionDescriptor. -
+
Fill in result, by including the powerful feature names contained in +element’s
+[[Features]]. -
+
Return result.
+
3.2.3. Presentation
+There isn’t much precedence for describing the user agent UI in detail. + It may be better to leave more freedom to user agents.
+An element using the PermissionsMixin contains browser-chosen content, text and maybe an
+icon. Activating them will often prompt the user to choose.
+This provides two bits of user interface that a user can interact with.
+The user agent is largely free to determine these — rendering of the
+element and the subsequent permission
+prompt — in whichever way it thinks best convey’s the element’s intent.
UI options for the elements' presentation include:
+-
+
-
+
Name the powerful features listed in
+[[Features]], in the language +indicated by the language of the element. Note that this would +always be the language indicated by thelangattribute, +if present. -
+
An icon indicating the powerful feature type or types.
+ -
+
The current permission state of the powerful feature in questions. +For example, if the permission is already +
+granted, the element might be labeled +as "geolocation already in use". -
+
A modal prompt with a "scrim". +(I.e., darkening out the page behind the prompt.) +This would normally quite disruptive. But here our goal is to ensure a +user means to make this choice.
+
User agents are encouraged to name or describe the powerful features +in a way that’s consistent with similar usage in program or the platform it +is running on.
+Very non-normative examples might be:
+-
+
-
+
+<geolocation lang=de>: "Standort verwenden". -
+
+<geolocation watch=true>(in an English language page): "⌖ Track location.". -
+
Upon activiating
+<geolocation>, when the corresponding +permission state isdenied, modify the text to +"Continue blocking".
3.3. Falling Back
+A user agent that does not support a particular element would
+recognize them as HTMLUnknownElement and render their children as
+regular HTML.
+User agents that support such an element should usually
+render the element as described in § 3.4 Styling, and Styling Restrictions, but are still
+required to render the fallback content under one condition:
If the internal [[BlockerList]] contains a record whose
+blocker reason is type_invalid,
+then the element should render the fallback content
+instead of its usual rendering.
3.4. Styling, and Styling Restrictions
+Permission elements constrain the styling that can be applied to them. +These constraints come in three flavours:
+-
+
-
+
If the condition isn’t met, the element is deactivated.
+ -
+
A user-agent defined stylesheet enforces certain styling.
+ -
+
The user-agent enforces bounds on additional styles, where the bounds +cannot be easily expressed in CSS. For example, if the style bounds are +expressed relative to the computed style of the element.
+
3.4.1. Conditions that Deactivate the Element
+If one of these conditions is not met, then a
+temporary blocker is added with type
+style_invalid.
| 'color', 'background-color' + |
+Set by default to the user agent’s default button colors.
+The contrast ratio between the 2 colors needs to be at least 3.
+Alpha has to be 1.
+
+ |
|---|---|
| 'font-size' + |
+
+If specified value is expressed as <relative-size>:
+
+
|
3.4.2. User-Agent Defined Stylesheet
+A permission element is expected to render with the following styles:
++@namespace "http://www.w3.org/1999/xhtml" ; +geolocation{ +opacity : 1.0 ; +line-height : normal !important; +whitespace : nowrap !important; +user-select : none !important; +appearance : auto !important; +box-sizing : content-box !important; +vertical-align : middle !important; +text-emphasis : initial !important; +text-shadow : initial !important; +} +
3.4.3. Additional User-Agent Defined Style Bounds
+ +Permission elements define several bounds on styles. For example, we want +the font size are constraints on the The style bounds are explained below. + + +For notational convenience, we imagine that the computed value of an element
+could be accessed in CSS rules with computed, just like the
+inherited value of an element can via the inherit keyword.
+Then the following sheet expresses the style bounds:
+@namespace "http://www.w3.org/1999/xhtml" ; +geolocation{ +outline-offset : clamp ( 0 , computed, none); /* No negative outline-offsets. */ + font-weight:clamp ( 200 , computed, none); /* No font-weights below 200. */ + word-spacing:clamp ( 0 , computed, 0.5 em ); /* Word-spacing between 0..0.5em */ + letter-spacing:clamp ( -0.05 em , commputed, 0.2 em ); /* Letter spacing between -0.05..0.2em */ + + min-height:clamp ( 1 em , computed, none); +max-height : clamp ( none, computed, 3 em ); +min-width : clamp ( none, computed, calc ( fit-content)); + +border-width : clamp ( none, computed, 1 em ); + +font-style : if ( computed ="normal" or computed ="italic" , computed, "normal" ); +display : if( computed ="inline-block" or computed ="none" , computed, "inline-block" ); +cursor : if( computed ="pointer" or computed ="not-allowed" , computed, "pointer" ) +} +
Additionally, some rules apply based on conditions not easily expressible as +CSS.
+If height is auto, then apply:
+@namespace "http://www.w3.org/1999/xhtml" ; +geolocation{ +padding-top : clamp ( 1 em , computed, none); +padding-bottom : calc ( padding-top); +} +
If width is auto, then apply:
+@namespace "http://www.w3.org/1999/xhtml" ; +geolocation{ +padding-left : clamp ( none, computed, 5 em ); +padding-right : calc ( padding-left); +} +
Apply the following sheet, if the element does not have all of the following:
+-
+
-
+
A border width of at least
+1px, -
+
a color to background-color contrast ratio of at least 3,
+ -
+
and alpha of 1.
+
+@namespace "http://www.w3.org/1999/xhtml" ; +geolocation{ +max-width : clamp ( none, computed, calc ( 3 * fit-content)); +} +
The following CSS properties can be used normally:
+-
+
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
-
+
border and all +border shorthand properties, +border-top, border-right, border-bottom, border-left
+ - + +
- + +
- + +
- + +
- + +
- + +
- + +
-
+
flex and its longhands, flex-grow, flex-shrink, flex-basis
+ - + +
- + +
- + +
- + +
- + +
- + +
- + +
-
+
outline and mostly its longhands, +outline-color and outline-style. +
+
Note that outline-offset is clamped by the rules above. - + +
-
+
overscroll-behavior and its +longhands, +overscroll-behavior-inline, overscroll-behavior-block, +overscroll-behavior-x, overscroll-behavior-y
+ - + +
- + +
- + +
- + +
-
+
scroll-margin and its longhands, +scroll-margin-top, scroll-margin-right, scroll-marginbottom', +scroll-margin-left
+ -
+
scroll-padding and its longhands, +scroll-padding-top, scroll-padding-right, scroll-padding-bottom, +scroll-padding-left, scroll-padding-inline-start, +scroll-padding-block-start, scroll-padding-block-start, +scroll-padding-inline-end, scroll-padding-block-end
+ - + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
- + +
Properties that are not listed above, or in the rules in this section, +and aren’t logically equivalent to one of the properties mentioned here, +will be ignored.
+4. Security & Privacy Considerations
+Note: Security & Privacy Considerations can be found +here & +there, +in the Explainer. +This section will eventually contain a specification-worthy transcription +of those Explainer sections.
+