Attendees: rbyers, dtapuska, esprehn, ojan
AI: rbyers will talk to vollick to see if it should be someone on his team or someone on input-dev who makes a technical design/proposal.
rbyers: Intuition is that trying to do something automatically will cause more pain than it solves. Would love to find something we can do by default. Even if we find something, it's going to be a lot of work to implement it and convince ourselves that it's a net win. Start with an opt-in mechanism the ads folks can use and then we can evaluate better whether we can do something by default.
dtapuska: Seems like ads cares mostly about opacity.
ojan: Yup, that's one of their two problems. The other is this click thing. We have a solution for that which is V2 of IntersectionObserver (IO).
<tangent about why we need IO and don't have the primitives we need to just do it in JS>
rbyers: The problems they're trying to solve seem related to the same IO problems. If IO were built on primitives, they could do their own thing here.
esprehn: even getBoundingClientRect is not very cheap by itself even if layout is done.
ojan: I was confused...ads' other concern was opacity in an ancestor.
esprehn: The way this would work is all iframes get their own layer and display list is split across layers. Then the compositor can detect which frame you're hitting. Allowing origin assertions based on what you're tapping.
rbyers: Still possible to overlap iframes. Provide strict boundary for developer but not for user.
esprehn: UI attribution unsolvable. Hard to convince the user that part of the screen belongs to someone.
<ojan forgot to take notes>
A couple paths forward:
1. Boolean opt-in?
2. What about only for cross-origin iframes?
3. What about start by just adding measurement?
#2 maybe we could ship by default without worrying much about compat.
How do you define movement? Should scroll do it? What about in process fling and then I tap on it as the fling is slowing down?
esprehn: Difference between programmatic scroll and gesture.
ojan: Can we look at how much the thing moved?
rbyers: How long has this thing been under this point?
esprehn: Produces deadzone on the edges.
rbyers: Yup. That's fine.
esprehn: I think shipping an UMA makes sense as a way of evaluating.
rbyers: This is going to be a large number and we have no way of detecting false from true positives. So, UMA isn't great.
esprehn: Want a sanity check that we didn't screw things up, e.g. shouldn't be 90% of pages. Really want rappor to tell if it's just one website that sucks.
rbyers: For numbers big enough, dev channel covers it.
esprehn: Not clear that it's the long tail of sites that are doing this. Might not be a general problem.
rbyers: I think this might be something we could have by default for cross-origin iframes. How would we implement? Need a log of the last 500ms of the positions of every cross-origin iframe.
rbyers: Care primarily about mobile?
esprehn: Yes, touch screens.
ojan: Yup. Mobile is the P0 here.
esprehn: Seems rare that people accidentally click on things on desktop.
ojan: That's not totally true. The malicious content hits on desktop. But, mobile is more important.
esprehn: Realistically, we're probably give all cross-origin iframes a layer anyways. Tracking at CC layer level seems fine. CC layer can keep a log of location and size.
ojan: next step?
rbyers: Build on CompositorWorker?
esprehn: I think you need a bit more knowledge there.
rbyers: Next step is to have someone look into details of the design and see if it's reasonable.
esprehn: Doesn't need to be perfect. It's OK if sometimes we allow you to tap even if there was movement.
rbyers: Yes, as long as we're conservative to avoid false positives where we disallow clicks we should let through.