- From: Simon Pieters <simonp@opera.com>
- Date: Mon, 23 Feb 2015 09:44:31 +0100
- To: "Tab Atkins Jr." <jackalmage@gmail.com>, "Daniel Glazman" <daniel.glazman@disruptive-innovations.com>
- Cc: "public-houdini@w3.org" <public-houdini@w3.org>
On Mon, 23 Feb 2015 09:11:23 +0100, Simon Pieters <simonp@opera.com> wrote: > On Thu, 19 Feb 2015 17:46:50 +0100, Daniel Glazman > <daniel.glazman@disruptive-innovations.com> wrote: > >> On 19/02/2015 17:36, Tab Atkins Jr. wrote: >> >>> The CSSOM *does* contain such comments, because it offers access to >>> the textual contents of the stylesheet. > > Where? > >> Only if your cssText is really the original textual content. You >> seem to indicate this is the case for Blink but it's not the >> case for Gecko where the cssText is serialized/reconstructed >> from the OM. That saves quite a bit of memory footprint. >> Blink's choice being different, is that motivated by a use >> case (I could perfectly understand that)? > > Blink is not different AFAICT. > > http://software.hixie.ch/utilities/js/live-dom-viewer/saved/3424 > > Although we allow reading of computed (or used) style with > getComputedStyle, we don't allow access to the raw text and cross-origin > we don't allow access to rules where the selector is not applied. Also things in @media rules that are not applied. > The main problem is that cross-origin loading of CSS is allowed in the > first place. This has caused problems like > https://bugzilla.mozilla.org/show_bug.cgi?id=524223 > > I don't know if there was a concrete attack scenario that led browsers > to implement cross-origin restriction for CSSOM or if it was "just" > defence-in-depth. It was implemented before I put it in the spec. It > does protect stylesheets that have secrets in selectors. It might > protect other things, too. I think the restriction should not be lifted > lightly. > -- Simon Pieters Opera Software
Received on Monday, 23 February 2015 08:44:43 UTC