Design Review #677

#677: Auto-expanding details elements

Opened Sep 16, 2021

Ya ya yawm TAG!

I'm requesting a TAG review of Auto-expanding details elements.

Summary: Today, closed details elements aren't searchable by find-in-page or ScrollToTextFragment, and if a user wants to search in them with find-in-page they would have to manually open every details element in the page before beginning their search. This feature makes closed details elements searchable and automatically expands them when the browser tries to scroll to content inside of them for find-in-page, ScrollToTextFragment, and element fragment navigation.

Explainer¹ (minimally containing user needs and example code): https://github.com/WICG/display-locking/blob/main/explainers/auto-expanding-details-explainer.md
Specification URL:
- https://github.com/whatwg/html/pull/6466
- https://html.spec.whatwg.org/multipage/interaction.html#interaction-with-details
Tests:
- Auto-expanding details with element fragment navigation is tested here: https://wpt.fyi/results/html/semantics/interactive-elements/the-details-element/auto-expand-details-element-fragment.html
- I still need to add ScrollToTextFragment tests. ScrollToTextFragment tests do exist in WPT.
- find-in-page can't be tested in WPT, but I may spec window.find and support it for this feature in the future just to make this WPT testable.
Security and Privacy self-review²: https://github.com/WICG/display-locking/blob/main/privacy-assessments/auto-expanding-details-privacy.md
Primary contacts (and their relationship to the specification):
- Joey Arhar @josepharhar Google. Author, champion of this feature
- Vladimir Levin @vmpstr Google
- Emilio @emilio Mozilla. Reviewed the HTML spec for this feature.
Organization(s)/project(s) driving the specification: Google
Key pieces of existing multi-stakeholder review or discussion of this specification:
- A very similar feature was discussed in this tag review: https://github.com/w3ctag/design-reviews/issues/511
- This feature has been added to the HTML spec in this PR: https://github.com/whatwg/html/pull/6466
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5032469667512320

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: none
The group where the work on this specification is currently being done: WICG
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WHATWG
Major unresolved issues with or opposition to this specification: none
This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify [github usernames]

Discussions

Comment by @josepharhar Sep 24, 2021 (See Github)

There is some useful discussion here: https://github.com/mozilla/standards-positions/issues/578

Discussed Oct 1, 2021 (See Github)

Lea: seems like a reasonable feature but there are accessibility considerations, there's a linked thread from mozilla standards position that talks about it

Dan: they don't say it's harmful. Not sure what Anne means about dashboard entry

Lea: looks like there are no a11y concerns, just discussion of implications, but nothing problematic. I don't see anything against it.

Dan: filled out security & privacy

Lea: already in html spec..

Dan: in the s&p questionnaire there is a find in page vulnerability.. there's a mitigation being implemented in chrome. Worth mentioning that we'd like to see what impact that has, or we support the proposed mitigation. Worth noting they've considered this. Is it documented anywhere? If it's an addition to the html spec it doesn't seem to be documented anywhere other than the explainer. Is there security and privacy considerations in html?

Lea: there are in individual parts of the html spec

Dan: [writes comment] Any other questions/comments?

Lea: do you think the question would block the review?

Dan: I don't think so, not blocking

Lea: if we post a comment saying it looks good and add proposed close they might not get to your question.

Dan: maybe we can close at plenary or next week

Sangwhan: it can be used to tell what user is searching for, problematic?

Amy: they link to a demo of that in s&p

Dan: could be problematic

Sangwhan: possible through an indirect channel..

Dan: is the user expectation that what they're searching for in an article is private to them?

Sangwhan: huge meta question here, I'm not sure. The query string can be referred to so what the user was looking for in a given webpage can be inferred by the referrer which contains the query string from a search engine (google removes that), except when you have scrolltotextfragment enabled when you can infer to some level. I don't really know the implications.

Dan: should we ask privacy ig to weigh in?

Discussed Oct 1, 2021 (See Github)

Dan: opener responded helpfully with a PR

Lea: do we need to wait for it to be merged to close?

Dan: looking at PR.. writes closing comment.

Comment by @torgo Oct 12, 2021 (See Github)

Hi @josepharhar. Regarding the security & privacy questionnaire - you've noted a privacy venerability and a potential mitigation. (Great!) Is this documented anywhere in the spec itself? We are generally supportive - we just want to bottom out the potential privacy issue that you've documented. Also adding privacy-tracker label to bring it to the attention of Privacy Interest Group.

Comment by @josepharhar Oct 13, 2021 (See Github)

you've noted a privacy venerability and a potential mitigation. (Great!) Is this documented anywhere in the spec itself?

No, I didn't include this in the spec

Comment by @slightlyoff Oct 14, 2021 (See Github)

hey @josepharhar, per the Intent thread, it'd be great to see a non-normative note in the spec flagging that this is a potential concern, perhaps in your privacy and security considerations section?

Thanks.

Comment by @josepharhar Oct 15, 2021 (See Github)

hey @josepharhar, per the Intent thread, it'd be great to see a non-normative note in the spec flagging that this is a potential concern, perhaps in your privacy and security considerations section?

I opened a PR to add a non-normative note here: https://github.com/whatwg/html/pull/7229

Comment by @torgo Oct 18, 2021 (See Github)

Thanks @josepharhar and @slightlyoff - much appreciated. I think on that basis we're happy to close the review. We discussed this last week and we have no objections. Thanks for flying TAG.