Gives embedders control over programmatic focus from embedded content via the focus-without-user-activation permissions policy. When the policy is denied for a frame, programmatic focus calls (element.focus(), autofocus, window.focus(), dialog.showModal(), and popover focusing) are blocked unless triggered by user activation. User-initiated focus such as clicking or tabbing is never affected. The policy can be set via a Permissions-Policy HTTP response header or the iframe allow attribute. Focus delegation is supported: a parent frame that has focus can programmatically pass focus to a child iframe, even if the child has the policy denied, and once a frame has focus it can move focus within its own subtree.
Embedded third-party content such as ads, widgets, and iframes can programmatically steal input focus from the top-level page without any user interaction, silently redirecting keystrokes and creating security and accessibility problems. This was originally reported by engineers working on advertising security for large publishers. Today developers have no reliable way to prevent it: the sandbox attribute disables JavaScript entirely, breaking most embedded content, and JavaScript focus-reclaiming hacks using blur listeners or polling are unreliable, cause visible focus flickering, and do not scale across multiple iframes. This policy provides fine-grained, declarative control over programmatic focus from embedded content.