> For example, to the web browser, it is nearly impossible to distinguish > between a user filling out a form in a visible iframe, and a malicious > javascript function doing so on it's own (to trigger your proposed > rule).
That's probably true, but it appears Chrome and Firefox are starting to do this in an attempt to stop the auto-play of videos and sounds (something I'm also vehemently against for many reasons), so there must be a way they're detecting if the user interacts with certain content or not? I would say if the content in the iframe becomes focused, that would be an indication that the user has interacted with it? I don't believe JS from the iframe can force focus on itself. The website the iframe loads on could possibly force focus, I believe, but still, there's got to be some way to detect if the user initiated the focus to that iframe / interacted with that iframe. > You would fare a lot better if your iframe content opened a new tab > (preferably via the "target" attribute on links), thus causing the > domain to be the 1st party domain during the interaction, and > (probably) a visited domain afterwards. I do this when the user wants to view items in his cart, but if 3rd party cookies are blocked, the session isn't maintained, and so the cart is empty when they reach that page. This is a big problem. I doubt a warning letting people know that functionality won't work with 3rd party cookies blocked still won't get them to change that setting. Is there an official browser way to prompt the user to make an exception? _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
