[focus-without-user-activation] Restricted frames should not be authorized by the target frame's user activation

[ffiori]

What is the issue with the HTML Standard?

Scenario

1. A top-level frame A hosts sibling iframes B and C.
2. B and C both have the focus-without-user-activation permissions policy denied.
3. C has transient user activation.
4. Script running in B obtains a reference to an element in C, element_c, and calls element_c.focus().

Desired outcome

The focus call is blocked.

The relevant question is whether the frame initiating the focus move (B) is allowed to move focus without user activation. C having transient activation should not authorize a different frame to move focus into C.

Current outcome

With the current specs, allow focus steps returns true since in step 2 returns true if target's relevant global object has transient activation.

Proposed solution

Thread the source/caller/initiator document or navigable into the allow focus steps, and check transient user activation on that initiator instead of on the target document.

In the scenario above, the relevant activation check would be B's activation state, not C's.

This is analogous to checking the focus setter’s permissions policy rather than the target’s policy. See issue #12032