Vibrate is being abused by malicious contents, and some users have complained about it (e.g., this reddit thread). To better protect user, we would like to gate vibrate with user activation (aka. user gesture or user initiated actions, defined here in the html spec). The metrics from Chrome shows that vibrate was being used by ~0.02% of pages (in Feb 2017, the metrics link).

A frame would be able to vibrate user devices if it or any of its embedded frames has ever received a user activation. In implementation terms, when a user clicks on an iframe, we would set a bit up the ancestor chain saying that it had received a user gesture, so then any frame in the ancestor chain would be able to vibrate from then on.

This is a follow-up effort of #25 "Require user gesture for navigator.vibrate in cross-origin iframes".

cc/ @ojanvafai @RByers @mikewest @bzbarsky @chrisbro-MSFT @VicenteDiaz