Re: [csswg-drafts] [css-view-transitions-2] Declarative opt-in for cross-document navigations (#8048)

@noamr 

> > `@font-face` and `@property` are also global declarations in CSS.
> 
> They give meaning to all kind of names, but they don't affect the style directly.

The proposed opt-in doesn't affect style either. It opts into a view transition on navigation (like calling `startViewTransition`).

> an issue of unintended visual effects by having e.g. an SPA transition in both documents lead to a spurious MPA transition between the two documents.

Can you go into more detail about that? See https://github.com/w3c/csswg-drafts/issues/8677 - I don't think it'll be unusual for the same animation declarations to be used in both SPA and MPA transitions.

There's a doc internally that compares SPA transition features with MPA, where a lot of this is discussed (although it should be across various issues now), @khushalsagar can give you access.

> IMO any kind of boolean opt-in doesn't solve this

This proposal allows for more than a simple boolean https://github.com/w3c/csswg-drafts/issues/8048#issuecomment-1495777539. Also, the conditionals can be complex thanks to media queries (see the other issues on url matching).

> Instead, I propose something a bit more flexible and : the `:root` of both documents has to share some sort of name. It can be the `view-transition-name` (perhaps if it's not "root", but that might be a bit too implicit), or a new property like a `page-transition-name`. Only if the names match, the view transition would be enabled.

Two problems with this: You have to do special hard-to-reason-about things to use the same transitions for both SPA and MPA, and it creates a CSS property that only works on one element (or a property that works very differently on one particular element). That's the whole reason a global switch was proposed rather than something per-element.

> * making sure that cross-document view transitions are intentional and the internal transition names match what the author has meant

I think a key to this is ensuring that SPA and MPA transitions across the same two pages are as similar as possible. The difference being that one opts in with JS (by calling `startViewTransition`), and the other opts-in via some other simple means.

> to solve this in CSS you'd have to coerce CSS to do several things that it's not used to doing... for example, you might have `@view-transition same-origin` in your inline css, and then include some cross-origin stylesheet that would override it with `@view-transition same-site` or `@view-transition urlpattern(...)`, which would require fiddling with cascading rules.

This is already an issue with @keyframes, @font-face, @property etc etc, so we can follow the same rules.

> I think we would have to solve (2) on the HTML level, or even CSP, and my main concern there would be that it would become a side-channel for cross-origin pages to pass privacy-related information to each other, which an opt-in wouldn't solve.

Can you provide details of the attack you're trying to prevent? [Third party CSS isn't safe](https://jakearchibald.com/2018/third-party-css-is-not-safe/).

-- 
GitHub Notification of comment by jakearchibald
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8048#issuecomment-1554999704 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 19 May 2023 17:22:26 UTC