W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2003

document.styleSheets and JS security model

From: Charles Kendrick <charles@isomorphic.com>
Date: Fri, 04 Apr 2003 14:38:42 -0800
Message-ID: <3E8E0972.CFBA3EC6@isomorphic.com>
To: www-dom@w3.org

In some modern user agents, including Mozilla and IE, attempting to access the document.styleSheets
array leads to an "Access Denied" error when a stylesheet has been loaded from a host other than the
one the main HTML document has been loaded from.

This is a surprisingly serious problem, because:
- DHTML developers must have access to document.styleSheets for many reasons
- it is a very common practice to offload "media" like styleSheets and images to a second host,
  or to a service like Akamai
- the Access Denied behavior is consistent with a strict interpretation of the JavaScript 
  security model, so the browser makers are following specs

I think this problem could be avoided if there were a getStyle(className, pseudoClass) in the ViewCSS
interface, which simply retrieved the unmodified CSSStyleDeclaration.  

A browser implementer would be highly unlikely to think that an Access Denied error was appropriate
when calling getStyle().  Furthermore it would no longer be necessary to rifle through all the
stylesheets in the document to look up styles; currently every serious DHTML developer is saddled
with code like the following, which, because it is quite slow, also needs a cache in front of it:

    for (var i = document.styleSheets.length - 1; i >= 0; i--) {
        var rules = document.styleSheets[i].cssRules;
        for (var j = rules.length - 1; j >= 0; j--) {
            if (rules[j].selectorText == "." + className) {
                var styleObj = rules[j].style;
                if (styleObj != null) return styleObj;
            }
        }
    }
Received on Friday, 4 April 2003 17:44:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 22 June 2012 06:13:56 GMT