Agree with the proposal.

@jcjones Create PR

Update: I have this PR in progress and will get it posted soon.

From call of 2019-10-09: since the cross-origin case is disabled by default without an allow blessing, I'm not sure about the utility of this. If we force an iframe to be visible, it can still be white on a white background, so I couldn't use that in a security argument either I suspect. Thus I hope that disabled-by-default is a good safeguard and, if not, would be interested to know others' motivations.

We agree with the high-level direction of the proposal, and look forward to seeing the PR. Even if the notion of visibility is tricky to define, we’re in favor of attempting to make it clear that the API is intended to be used by visible frames only.

As an update, I'm still gathering feedback internally per @agl's comment above. Since there's feeling that this PR would not be welcome, I haven't finished shaping the language I was using until I get our internal temperature.

While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in favor of those (#1336, #1293) in the next ~week.

at the 2020-02-26 meeting, @jcjones, @agl, and @rmondello agreed that closing this issue is fine, no objections from room.