W3C home > Mailing lists > Public > public-houdini@w3.org > February 2015

Re: [parser] Scope question

From: Simon Pieters <simonp@opera.com>
Date: Mon, 23 Feb 2015 09:44:31 +0100
To: "Tab Atkins Jr." <jackalmage@gmail.com>, "Daniel Glazman" <daniel.glazman@disruptive-innovations.com>
Cc: "public-houdini@w3.org" <public-houdini@w3.org>
Message-ID: <op.xuh48hvdidj3kv@simons-mbp>
On Mon, 23 Feb 2015 09:11:23 +0100, Simon Pieters <simonp@opera.com> wrote:

> On Thu, 19 Feb 2015 17:46:50 +0100, Daniel Glazman  
> <daniel.glazman@disruptive-innovations.com> wrote:
>
>> On 19/02/2015 17:36, Tab Atkins Jr. wrote:
>>
>>> The CSSOM *does* contain such comments, because it offers access to
>>> the textual contents of the stylesheet.
>
> Where?
>
>> Only if your cssText is really the original textual content. You
>> seem to indicate this is the case for Blink but it's not the
>> case for Gecko where the cssText is serialized/reconstructed
>> from the OM. That saves quite a bit of memory footprint.
>> Blink's choice being different, is that motivated by a use
>> case (I could perfectly understand that)?
>
> Blink is not different AFAICT.
>
> http://software.hixie.ch/utilities/js/live-dom-viewer/saved/3424
>
> Although we allow reading of computed (or used) style with  
> getComputedStyle, we don't allow access to the raw text and cross-origin  
> we don't allow access to rules where the selector is not applied.

Also things in @media rules that are not applied.

> The main problem is that cross-origin loading of CSS is allowed in the  
> first place. This has caused problems like  
> https://bugzilla.mozilla.org/show_bug.cgi?id=524223
>
> I don't know if there was a concrete attack scenario that led browsers  
> to implement cross-origin restriction for CSSOM or if it was "just"  
> defence-in-depth. It was implemented before I put it in the spec. It  
> does protect stylesheets that have secrets in selectors. It might  
> protect other things, too. I think the restriction should not be lifted  
> lightly.
>


-- 
Simon Pieters
Opera Software
Received on Monday, 23 February 2015 08:44:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 February 2015 08:44:43 UTC