There are a couple more small improvements we can make to the word boundary part of the specification, as described in the TAG review.

https://wicg.github.io/ScrollToTextFragment/#navigating-to-text-fragment defers to HTML5 in order to perform the scroll to the fragment.

https://html.spec.whatwg.org/multipage/browsing-the-web.html#scroll-to-the-fragment-identifier assumes that the indicated part of the document is an Element and then defers to CSSOMView.
However, https://wicg.github.io/ScrollToTextFragment/#find-a-target-text returns a Range.

Maybe what is wanted instead is to rely on window.find() but this is not standardized. See whatwg/html#3539

Thank you for your link to Fragmention, and I appreciate the work here. As discussed in the original fragmention post linking by cited text is very resilient.

Have you looked at supporting the Fragmention model as a fallback - ie not requiring #targetText= as a prefix, but if there are multiple space separated words in the fragment, doing a search for them? (after any other special fragment resolution code runs).

The proposed scroll to text fragment URLs will be even more prone to link rot than normal links already are. In the case of normal (fragment) links, the owner of the webpage is in control of which fragments are available. When changing the page, they could to the diligent work and make sure all the expected links work as intended and either provide the original information, or a suggestion where the information has moved.

With the proposed solution, this is not the case - the proposed fragment links point to an arbitrary part of the webpage where the owner of the website has no idea these links even exist so there is no way the owner can keep the links working.

In the example:
www.example.com#targetText=the%20lazy%20dog,brown%20fox

Would match "The lazy dog jumped over the quick brown fox". However, if the owner of the site decided to add another snippit of text ("the lazy dog has a brown coat, and it looks just like a brown fox") that also matches the targetText, the link would be invalid and would actually point to another part of the document not intended by the link.

In the example pointing to PDF pages, audio tracks etc:
The difference with links in media fragments and PDFs, is that in those cases, the underlying content is a lot less likely to change. Links to a specific page number, track or row are all pointing to a part of the document or media that are already numbered. These numbers are already there with the intent of allowing (human) navigation to them, so it would stand to reason that linking to them would also be a good idea. Text passages in a web page are not intended as part of the navigational structure of the page, which makes linking to them unexpected behaviour.

tl;dr:

• linking should point to things that are part of the navigational structure. This makes it OK to point to chapters, pages, sections, rows etc, but not OK to link to fragments of text.
• the owner of a page should have control on what links "work" on that page. This ensures that they have the ability to make changes to the page without breaking any links to the page.

You have the most important part, the URL record and the parsing modifications. This is all browsers need. But it's also important to update the definition of a URL for web developers, in https://url.spec.whatwg.org/#url-writing

Maybe nothing changes in that section actually, since the same set of strings is valid before and after?

However, it may be good to have a section describing, in a similar rigorous fashion, the validity of the targetText directive in particular. Some of this is done informally in https://wicg.github.io/ScrollToTextFragment/#syntax. Such a section would probably end up in HTML (or wherever the actual targetText directive is defined), instead of being part of the general URL infrastructure.

We should add some guidelines/recommendations to the spec for best-practices around generating :~:text= links. We shouldn't make these MUST statements since UAs should be free to experiment and iterate on how they generate links, so long as they conform to the specified syntax; however, having some guide-rails will help ensure a basic level of user friendliness.

Some examples:

• Stripping fragment-ids from the URL before appending a :~:text= directive. This could be done optionally, if the element fragment has been scrolled far enough off-screen
• Guidelines around when to prefer including the entire snippet vs. range-based
• How/When to use context terms

It'd make the spec easier to read if there were a liberal sprinkling of cross links to relevant concepts. For example:

• Lots of Infra concepts are used. Although it's less important to link to basic things like "string starts with" or "remove from a list" or similar, some of the stuff around position variables would be helpful.
• "Find an exact match with context" is italicized, not linked
• "Each document has an associated fragment directive" should have a <dfn>, and further references should link to it. Similarly for URL record.
• References to "c" in the URL parser should go to https://url.spec.whatwg.org/#c

One heuristic is that you seem to have italicized a lot of things that should be links. Maybe do an audit of all your italicizations.

Thinking through the "mixing with SPA's" issue in #15, I wonder if the XPointer Framework syntax's style might be useful to avoid collisions and enable "mixing."

We used this approach in the Web Annotation WG's Selectors and States note. The same syntax style can be seen in SVG's fragment identifiers like #svgView()

This style is less frequently used (other than the standardized ones like svgView()) by JS developers building SPAs. Additionally, these can more easily accommodate mixing and more clearly be "functional"--which avoids confusion between which client this fragment was intended for (the browser or the Web app).

For example using find() rather than targetText= avoids collision with site key/value pairs while also feeling more functional/active.

http://example.com/spa#page_id=5&find("on sale")

Structuring the URL has the interesting side-effect that when the location.hash is parsed (sans-#) with URLSearchParams the results shake out into two groups:

• the key/value pairs (i.e. page_id=5)
• the non-key/value pairs (i.e. find("on sale")):

Current JS demo below....

let u = new URL('http://example.com/#page_id=5&find("on sale")');
let usp = new URLSearchParams(u.hash.substr(1));
for (let p of usp.entries()) console.log(p);
# Array [ "page_id", "5" ]
# Array [ "find(\"on sale\")", ""]

This avoids "magic strings" (like targetText) polluting the key space, while still making these easily shimmable via JS.

Additionally, once there is a find() (or targetText() or selector() or whatever) these could be gleaned by the browser engine (possibly removing it from the hash) and kept for its own use--while still following existing URL design and extensibility patterns.

It would also open the door to a more extensible space and patterns for future development, by suggesting that # values may be & delimited and may contain "functional fragments" which may be ignored or implemented by the client (whether browser or Web app).

Thoughts?

Just a thought quickly typed down—could the idea to also use CSS for fragment identifiers be merged with this draft?

What about, already buying into the name change suggestion in #25, providing for both

• ##target=prefix-,startText,endText,-suffix and
• ##target(selector)?

This may be reasonably clear and allow for maximum flexibility. A quick thought.

In Fragment Directive Grammar we have:

FragmentDirective ::= (TextDirective | UnknownDirective) ("&" FragmentDirective)?
UnknownDirective ::= CharacterString
CharacterString ::= (ExplicitChar | PercentEncodedChar)+
ExplicitChar ::= [a-zA-Z0-9] | "!" | "$" | "'" | "(" | ")" | "*" | "+" | "." | "/" | ":" | ";" | "=" | "?" | "@" | "_" | "~"

With the note: "A ExplicitChar may be any URL code point that is not explicitly used in the TextDirective syntax, that is "&", "-", and ",", which must be percent-encoded."

I believe this implies that we're placing the percent-encode restrictions from the text= directive on any potential future directives. I think we should make it clear that UnknownDirective doesn't require percent encoding "-" or ",".

You probably only want to remove the trailing -, right?

To give an example, see any mobile Wikipedia page: e.g. https://en.m.wikipedia.org/wiki/Cat.

Sections after the first one start off in collapsed headings. The text is available in the DOM but isn't displayed to the user unless they expand the relevant section.

These features are author-coded and there's no way in general to detect this case or have the browser automatically expand/display the section. I think there's just 2 options here:

1. Ignore text that's in a display:none subtree or hidden obscured/clipped out (this could be done with IntersectionObserver)
2. Allow pages to account for this and automatically expand/display any targeted text. In the example above, Wikipedia automatically expands sections that are linked using an element-id hash: e.g. https://en.m.wikipedia.org/wiki/Cat#Senses.

Option 1 seems unsatisfying so I think we should pursue 2. The most straightforward way would be to apply the CSS :target pseudo-class. This ties in with issue #1 which proposes target-within since we cannot apply a pseudo-class to text.

#90 revamped the text-matching algorithm but didn't specify that the text match should be done in a case-insensitive manner. This happens in the find a range from a node list steps.

The proposed kind of URIs is fragile. It can be broken by minor changes in text. It would cause dead links.

The proposed solution:

1. require a mandatory fallback id of the immediate parent element. Treat links without it as ordinary links. Search only inside of that element for performance optimization. Use parent element id as a fallback when the match is not found.

2. introduce fuzzy searches, for example some limited language-morphology based regex, fuzzy hash or even sentence embedding vector.

I understand the desire to avoid clashing with existing ids, but it seems like the ## delimiter handles that problem already.

##text= seems just as clear and a lot briefer, which is important in URLs.

For security, we want to avoid invoking the text directive on windows that can be scripted by another origin. It was pointed out in w3ctag/design-reviews#392 (comment) that our current set of restrictions doesn't work in all cases, an attacker could:

• Top-Level window A1 Opens a popup A2
• popup A2 navigates A1 to V with :~:text

Since V is top-level and has no opener, origin A is now able to cause text directive invocations in V which is bad because it persists past the navigation.

As shown in #76 and #79, there are ways to leak information across origins due to the initial scroll. They rely on specific circumstances on a page so they aren't general but they are possible so we should consider ways to mitigate them.

I think it'd be useful to add a mechanism for a page to opt out of fragment navigation. i.e. Guarantee it'll load at the initial scroll offset. This can opt-out of element-id and name based fragments as well, which are susceptible to the same issues.

IMHO, it'd also be reasonable for UAs to weigh the trade-offs differently so I'd like to explore adding an auto|on|off switch. By default (auto), the UA can decide whether or not to scroll into view. "On" would be a signal that the page has explicitly deemed it ok to scroll on load and allow all UAs to scroll to a fragment whereas "off" would block all UAs from scrolling into view.

The highlights themselves, if implemented according to spec, aren't detectable by pages so I think this opt-in/out need only apply to the scrolling aspect.

A meta tag seems like a good start to me but I'm open to alternatives. e.g.

<meta name="allow-navigation-scroll" content="auto|block|allow">

As currently specified, it appears a text fragment identifier can match elements across a very wide swath of DOM, including the entire document, in one match. WICG/display-locking#125 on the display locking repo gives a real-world example where the match is very broad.

That issue also describes why this is a problem for semantics and usability of the beforematch event. It may also be a usability issue of scroll to text fragment, because the scroll will not show the entire match.

I propose that text fragment identifiers not be allowed to cross elements with contain: style layout. This specific restriction is chosen to match semantics of subtree-visibility, and resolve WICG/display-locking#125. Additional restrictions for other types of layout may be appropriate as well.

/cc @bokand @nickburris

--

One potential concern was raised by @vmpstr when discussing this proposal offline, which is that a site could "opt out" of scroll to text fragment by putting every word in a contain: style layout div. However, I don't think this is a significant problem because (a) I don't think it's a problem to worry about if sites go out of their way to avoid text fragments via extreme hacks, and (b) the site will have poor performance and layout behavior if they attempt it.

Based on the discussion in whatwg/url/issues/445, I think we should move the sections of the spec dealing with parsing the fragment directive from the URL into the HTML spec only, so that it's only affected as part of HTML document loading.

Chrome has landed this spec behind a flag: https://www.chromestatus.com/features/4733392803332096 - but the implementation uses a single hash - I don't suppose you have any idea why?

Or whether this is somehow a bug in their implementation?

The current spec supports fallback syntax, like #comments:~:word. The string word is searched on the whole page and if not found, the browser will fallback to the regular id #comments.

I think we should consider another approach if not done yet. We could search inside the element matched by the regular id fragment (here #comments) instead of the whole page. The fallback would be unchanged, the whole element.

From the find a target text algorithm steps (section 2.4.3), it seems as though the TreeWalker is used to iterate over text nodes and the search is performed on their innerText. This seems to mean that no direct search for text that spans an element boundary would ever match.

The easiest way to address this would be to say that this is intentional and that any such match should use a range fragment, specifying the start and end text.

There are maybe other ways to address it, but I think that they immediately bring complications with the innerText algorithm.

This is not sufficiently well-defined.

Maybe this is intentional, and we mean to use similar user-agent discretion as is done for find-in-page, which has some per-UA heuristics. But I'll provide some advice assuming the desire is complete interoperability.

Here are some potential axes which need to be considered:

• textContent-style vs. innerText-style. textContent is essentially the raw text node content, whereas innerText does a variety of styling-derived transformations, e.g. CSS uppercasing translates to uppercase characters, hiding things with CSS removes them from the text, <br>s and other linebreaks become \n, and so on.

• Does this search inside shadow trees, or only the light DOM? Probably it should, although this means that existing definitions are not going to be helpful and we'll need to create our own.

• Similarly, do we use DOM order or flat tree order? This is primarily impacted by shadow DOM slotting.

If you have some thoughts on the answers that would be most useful here, I can try to give some guidance on how to precisely define this. Also, if there are other subtleties to consider, that'd be good to know; the above is just off the top of my head.

I couldn't tell you how many times I had to say "Click this page and scroll to X" because there was no way to select a header and get its click ID. Prior to Markdown and related tools, having IDs for headers was exceedingly rare, and it still is fairly uncommon on blog posts to convert headers into anchors.

It'd be nice to be able to search only by header, and most of the time that's all I would want to search.

If the page has more than one instance of text, it might be useful to select a particular occurrence of text. For example, you might have a page structure like this (pretend each of these are headers, where indentation signifies hierarchy):

• Product 1
  • Description
  • Parts included
  • Reviews
• Product 2
  • Description
  • Parts included
  • Reviews
• Product 3
  • Description
  • Parts included
  • Reviews

Now suppose you want to link the parts included within Product 2 to someone. How would you do that, rather than accidentally linking "Parts included" for Product 1?

All browsers already have the ability to find and/or highlight multiple iterations of a text phrase via their search functions.
Why not simply have the browser recognise the URL tag as a request for page search, using it's internal search function, with an iteration identifier?
e.g. #search=Phrase%to%find,3

The long phrase search would be more practical by simply adding a 'searchEnd' option that includes the iteration variable thus also enabling provision to allow for multiple iterations to be highlighted.
e.g. #search=Phrase%to%find,3,searchEnd=end%phrase.,3
or
#search=Phrase%to%find,3,searchEnd=end%phrase.,4

Possibly include a forced highlight option that overrides the browser's setting:
e.g. #search=Phrase%to%find,3,h

Far simpler, usable and easily memorable than all of that 'targetX' nonsense, and doesn't break if it's not the first iteration you want to link to.

I'm honestly surprised there's been coding time given to implement this using such easily broken methodology...

I'm sure there will be instances of conflicts with '#search', so have it substitute with '#search1' if a conflict arises.

As stated in other feedback, there is still the issue with page edits breaking links.
So while imperfect, a simple link to 'x% of page vertical pixels' may prove to be a more reliable solution.
e.g. #vertPct=42
A highlight option could be provided by specifying two percentages.
e.g. #vertPct=42,45

An included value for aspect ratio could be used to work around layout differences.
Certainly simpler to implement and continues to work at least with some degree of accuracy regardless of changes to the page content.

Disclaimer: it's WIP issue, I will update it later, it's not finished, just sketching some ideas.

Hash is already defined and we don't want to break it. As mentioned in the readme, there might be a collision with ids and routes in SPAs. So, while I like the goal, I don't really like breaking compatibility.

Potential solutions:

1. HTML attribute. We already have HTML attributes for <a href="..."> to tell the browser how to open the page. For example, we have target=_blank, rel=noopener and others. So, let's create a new attribute, let it be target-text="...". So, one would use it like this:
   <a href="https://example.com" target-text="text to highlight">Link</a>
   It will allow us to send links wherever we can use HTML: in emails, chats, or in search engine results.
   But this solution will not allow to open URLs with highlights from other programs, outside of the browser, I think.
2. Another URI scheme. We have a lot of URI schemes. Probably, most known is mailto: and Chrome is able to handle it perfectly, to open gmail whenever I click on it. So, why don't we create a new URI sceme, which will be something like this (similar to Magnet URI):
   targetTextOnPage:?targetText=text to highlight&url=https://example.com
   Which will open https://example.com and highlight text to highlight. Spaces probably should be URL-encoded, doesn't really matter right now.
   But this solution don't have a fallback. So, if user with old system clicks on that "magnet" link, it won't open nothing.

Side notes:

• [ and ] are reserved gen-delims (src) and still are not used, I think. So, probably we can do https://example.com/page#header[text to highlight]
• css selectors are not stable, especially because of complicated building proccess of modern web apps that use minification and obfuscation to prevent parsing, so it's not a good option.

P.S. While it's still WIP, let me know what you think about it.

The behavior we've found useful is that visibility:hidden or display:none text that we find in the DOM should be matched but not scrolled into view. That way, if the page makes it visible after load it is indicated.

One use case we're thinking of here is mobile Wikipedia. If the link has a classic element-id fragment so that it expands a section based on page script, we want the highlight to still appear. In these cases, we don't want to scroll-into-view though.

We need to make sure this is precisely specified.

The .bs source uses section autolinks ([[spec#heading-id]]) for a lot of places where it intends to just link to definitions in those specs. This is incorrect markup; if the specs' heading data isn't in Bikeshed, Bikeshed just throws up its hands and assumes you know what you're linking to. (Which means that the links are fragile/unsafe, with no guarantee that the ID exists at all in the destination document.)

However, these specs were in Bikeshed, I just wasn't processing the spec names properly; now that I've fixed that, Bikeshed is (correctly) reporting that those IDs don't correspond to any headings in the spec, and no longer generating a link. The next time you (or your CI) generates the spec, you'll get a number of fatal errors, and the output will lose several links.

Please replace these with proper autolinks, such as [=term here=] or {{Foo/method()}}: see https://tabatkins.github.io/bikeshed/#autolink-microsyntax for guidance on syntax, or feel free to contact me in IRC at Freenode#whatwg or W3C#css.

The proposal seems to enable some privacy attacks, by exposing new types of information to new types of observers.

For example: Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with #:~:text=cancer. On certain page layouts, i might be able tell if the employee has cancer by looking for lower-on-the-page resources being requested

It is proposed to make this kind of links unworkable for the content within the same page.

Rationale: code-monkeys would abuse it for referencing content in own applications instead of ids. It can cause performance, efficiency and resource consumption problems. But code-monkeys don't care. Unfortunately sometimes even large web resources hire code-monkeys. So the standard should be foolproof.

Is this feature aimed to cross-operate with the display locking API?

It would be great to be able to comment on the linked resource text fragment. W3C Web Annotations [implementations] don't recognize the targetText parameter, so AFAIU comments are then added to the document#fragment and not the specified text fragment.

I see that W3C Web Annotation Data Model is linked to under 'Other'.

https://hypothes.is , for example, implements W3C Web Annotations for highlighting and commenting on lots of things; including text fragments. WA is a JSONLD spec: it's definitely possible to encode JSONLD in a URI fragment. urlencoded without newlines is easy, if maybe unnecessarily verbose.

WA already solves for referencing in-page images and things; but hasn't (yet?) defined a IRI fragment syntax.

Is there a simplified mapping of W3C Web Annotations to URI fragment parameters?

https://www.w3.org/TR/2017/REC-annotation-model-20170223/#bodies-and-targets

https://www.w3.org/TR/annotation-model/#bodies-and-targets

https://www.w3.org/TR/annotation-model/#embedded-textual-body

https://www.w3.org/TR/annotation-model/#css-selector (CSS Selector)

https://www.w3.org/TR/annotation-model/#xpath-selector (XPath Selector)

User might share content that is generated by JavaScript.
How would targetText target/scrollTo text that isn't yet painted or is painted after some delay?

Increment c by the length of the fragment-directive delimiter minus 1.

Nothing in the URL spec increments c. It's unclear what this would mean; c is a character, so is incrementing it by 1 suppose to give the character that's 1 larger in the Unicode code point space?

I suspect you want to "increase pointer by..." which is a phrase that is used elsewhere.

When both fragment and fragment directive are specified, text search should start at the fragment anchor. Currently, the spec says to completely ignore the fragment in UAs that support text fragments. But it would babe a. useful extra capability in the case of multiple matches, and could allow links to more similar locations in supporting and non-supporting browsers. (Search could wrap to ensure this never entirely misses a text match).

Edit: s/client instruction/processing instruction/g

Currently, URIs treat %% as invalid. Should we maybe extend accepted URIs to support this use case using that token, as effectively "processing instructions" (like "scroll to text") rather than necessarily seeing it as a fragment? These "processing instructions" would not be exposed to users, at least initially, and it wouldn't be included in what's sent to servers.

I'm thinking maybe view it as this:

• https://example.com#!/route%%q=some%20text - Search for some text
• https://example.com#!/route%%q=some%20text%%n=2 - Search for second occurrence of some text
• I could see other potential additions like delaying the search (for JS), selecting or filtering by CSS selector, etc.
• Of course, order doesn't matter. %%q=some%20text%%n=2 and %%n=2%%q=some%20text are equivalent.

Alternatively, you could wrap each "processing instruction" in brackets like [q=some%20text] as suggested in #13, but I feel a double percent sign is probably a little easier to explain and use. (I see potential use in both technical and non-technical circles, so accessibility to non-technical people is a concern of mine.)

This would resolve and/or address numerous existing issues already filed:

• #2 - This could be as simple as a %%delay=int_ms or %%delay=float_s instruction.
• #4 - This could be recast as a way to specify Web Annotation "target" selectors, but I don't agree we should be bound to their format - it's a bit more verbose than what's necessary for this. We're just selecting crap, and we could include all their functionality with less boilerplate and more flexibility.
• #5 - The long prefix is instead a simple %%q=, something even non-technical users could potentially recognize right away due to familiarity with the common convention used by search engines.
• #7 - This doesn't clash. Problem solved. 😉
• #8 - This could be as simple as a %%select=div>:nth-child(2)>span.whatever instruction.
• #9 - This could be as simple as a %%n=int_n instruction, as proposed above. We could also include range support here like 1-3 for first three or similar. (Other concerns like "last 4" or "all but first two" need considered.)
• #10 - Unintentionally similar to this, but this is a bit more deliberate and focused where that misses the point of the proposal and goes slightly off-topic.
• #11 - This keeps it inaccessible to CSS, so you can't write complicated selectors to select based on target. This should keep abuse down a bit. (The other complaint of using text instead of IDs is an issue this deliberately shouldn't fix, as a proper fix would interfere with user-level use.)
• #13 - This is a concrete proposal driven by similar reasons to that issue, but aims to be simpler and more extensible and flexible.

The explainer's Security section discusses several restrictions on the feature; however, they're not mentioned at all in the spec.

At the least, the spec should add some implementer notes around the security issues here but it might make sense to make these normative requirements, given that not implementing them could be harmful to users.

If an attacker has an iframe embedded in the victim page, they can determine some information from the victim page across origins. Using an intersection observer, the attacker can determine if the iframe intersects the viewport and use that to guess whether a followed link resolved to the text fragment.

While these text fragments will often be created by user agents it would be nice to be able to construct these easily in JS so that custom sharing options can be created.

For example Medium does this with selected text:

It would be nice to be able to do similar with fragment directives using the URL API.

e.g. Example API surface:

const url = new URL(location.href);
url.fragmentDirectives.add('text', window.getSelection().toString());

showShareUrl(url);

In #15 we're discussing ways to spec the feature such that it doesn't break pages that use the hash fragment for their own purposes. If we succeed in doing that, this means that UAs implementing this feature can follow links with the targetText to pages that would otherwise break with a hand-crafted fragment. The canonical example from that issue is https://www.webmd.com/skin-problems-and-treatments/lice-treatment#anything.

However, this would mean that a page sending a user to https://www.webmd.com/skin-problems-and-treatments/lice-treatment##targetText=sometext will load and work correctly in UAs that support the feature, but completely break the page for UAs that don't.

We should support some method of feature detection so pages can check whether adding a targetText has the potential to break the link and avoid adding it for UAs that don't support it.

What if I want to link to targetText that contains a comma?

What does whitespace mean in targetText? Browsers frequently do not display whitespace the same as the source html, for example \n might be rendered as a space. Or two spaces in the html might be rendered as a single space.

Looks like the web annotation community has already thought about the whitespace issue, here's one example discussion: w3c/web-annotation#221

This proposal will break all kinds of apps.

SPA routers like the one bundled with Mithril let one transparently use either the path, the querystring or the hash part of the URL to store the route params. So URLs ending with #/foo/bar?baz=5&qux=6 are not uncommon. Even adding another &targetText=... could break existing pages.

Some apps also serialize their state in the hash part for sharing and saving (bookmark).

The HTML user activation model was updated to expand on the concept of "triggered by user activation", which is used in our draft spec.

Per the spec author guidance doc, this should be updated to refer to Window's transient activation state.

We need to specify the parsing and behavior of multiple text directives, where each of the text directives is visually indicated (e.g. highlighted) and the first one that's found is scrolled into view.

When I use the comma-separated variant in 74.0.3709.0, only the beginning part is highlighted. Is support currently postponed or not yet implemented?

If we will decide to go with URL-based solution, we should consider adding an alternative to location.hash that will retrieve targetText from the URL.

From the find a target text algorithm steps (section 2.4.3), step 13 initializes a TreeWalker but does not specify what the root node or the whatToFind filter should be.

Currently target element https://drafts.csswg.org/selectors-4/#the-target-pseudo is capturable with CSS :target that applies to elements having attribute id.

Since Scroll-To-Text may target text inside element and not directly text,
I recommend to take an example from CSS :focus, :focus-within and to implement a new target pseudo-class :target-within that would capture element within is the targeted text part.

@tabatkins, any suggestions?

As mentioned in the I2S thread, the timing-based attacks and mitigation aren't mentioned at all in the spec. This was an accidental omission.