- From: Simon Pieters <simonp@opera.com>
- Date: Mon, 23 Feb 2015 09:11:23 +0100
- To: "Tab Atkins Jr." <jackalmage@gmail.com>, "Daniel Glazman" <daniel.glazman@disruptive-innovations.com>
- Cc: "public-houdini@w3.org" <public-houdini@w3.org>
On Thu, 19 Feb 2015 17:46:50 +0100, Daniel Glazman <daniel.glazman@disruptive-innovations.com> wrote: > On 19/02/2015 17:36, Tab Atkins Jr. wrote: > >> The CSSOM *does* contain such comments, because it offers access to >> the textual contents of the stylesheet. Where? > Only if your cssText is really the original textual content. You > seem to indicate this is the case for Blink but it's not the > case for Gecko where the cssText is serialized/reconstructed > from the OM. That saves quite a bit of memory footprint. > Blink's choice being different, is that motivated by a use > case (I could perfectly understand that)? Blink is not different AFAICT. http://software.hixie.ch/utilities/js/live-dom-viewer/saved/3424 Although we allow reading of computed (or used) style with getComputedStyle, we don't allow access to the raw text and cross-origin we don't allow access to rules where the selector is not applied. The main problem is that cross-origin loading of CSS is allowed in the first place. This has caused problems like https://bugzilla.mozilla.org/show_bug.cgi?id=524223 I don't know if there was a concrete attack scenario that led browsers to implement cross-origin restriction for CSSOM or if it was "just" defence-in-depth. It was implemented before I put it in the spec. It does protect stylesheets that have secrets in selectors. It might protect other things, too. I think the restriction should not be lifted lightly. -- Simon Pieters Opera Software
Received on Monday, 23 February 2015 08:11:36 UTC