Re: [csswg-drafts] [css-view-transitions-2] Declarative opt-in for cross-document navigations (#8048) from Noam Rosenthal via GitHub on 2023-05-19 (public-css-archive@w3.org from May 2023)

From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 May 2023 15:49:12 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1554778154-1684511350-sysbot+gh@w3.org>

> > Regarding cross-origin, I think it's a much bigger discussion.
> 
> I don't think we'll be able to ship this for all cross-origin...ever.

I agree :)
> I specifically meant the [same-site](https://web.dev/same-site-same-origin/) case, the security/privacy implications there are not as strict as different domains?

Yup, but also in the same-site cross-origin case there are *some* security implications that we don't have at all in same-origin.

> 
> > The main concept is that this opt in should be by name matching rather than Boolean.
> 
> The fundamental issue with either, a boolean or name matching, is that the syntax is not extendible to even same-origin cases like a subset of pages. For example:
> 
> ```css
> / * Opt-in for all same-origin navigations */
> @view-transition same-origin;
> 
> /* Opt-in for same-origin navigations only to URLs which match this pattern */
> @view-transition urlPattern(...);
> ```

The way I think about it is that there are two issues, and they are totally separate:
1. making sure that cross-document view transitions are intentional and the internal transition names match what the author has meant
2. accepting or rejecting a view transition from a same-site cross-origin referrer.

For (1), I think having something flexible like matching a root name/namespace attribute in CSS for the transition, without a meta tag or any boolean opt-in, would work really well and would be consistent with the spirit of how SPA transitions work.

For (2), to solve this in CSS you'd have to coerce CSS to do several things that it's not used to doing... for example, you might have `@view-transition same-origin` in your inline css, and then include some cross-origin stylesheet that would override it with `@view-transition same-site` or `@view-transition urlpattern(...)`. I think we would have to solve (2) on the HTML level, or even CSP, and my main concern there would be that it would become a side-channel for cross-origin pages to pass privacy-related information to each other, which an opt-in wouldn't solve.



-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8048#issuecomment-1554778154 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 19 May 2023 15:49:14 UTC