Re: Introduction: Neil Jenkins, FastMail

• From: Robin Berjon <robin@w3.org>
• Date: Tue, 04 Feb 2014 17:21:16 +0100
• To: Neil Jenkins <neilj@fastmail.fm>, HTML for Email Community Group <public-htmail@w3.org>
• Message-ID: <52F1137C.30100@w3.org>

Hi,

welcome! I have to say that I really like the JMAP draft that FastMail 
released not long ago.

On 04/02/2014 02:40 , Neil Jenkins wrote:
>    1. Have a hidden iframe in which we inject the CSS.
>    2. Build a DOM tree from the HTML using innerHTML in the scope of the
>       original page, but don't insert it into the document yet.
>    3. Use the Stylesheets API to traverse the parsed CSS in the iframe,
>       then use querySelectorAll to find the elements in the DOM tree that
>       a rule applies to and apply the style directly to the elements. We
>       iterate backwards through the rules and don't override a style
>       already set, which maintains the basic precedence (direct attribute
>       > CSS rule, later rules > earlier rules), but doesn't match the
>       real CSS precedence. We also support most media queries.
>   4. Strip the ids and class names from the elements to avoid any
>      conflicts with the CSS for the UI.
>   5. Inject it into the page for the browser to render.

Man, that's painful. There really should be a way of handling this more 
cleanly and off the shelf.

I wonder (not just for FastMail, feedback from other implementers is of 
course welcome):

• Does <style scoped> help you in any way? Would you need something else?

• Regarding stuff like removing position: fixed, what if there were a 
way of indicating from a containing context that such properties (or in 
general positions outside of the box) are forbidden? Would that help?

• I'm curious why you're not using an iframe to display the email 
content — is that for performance reasons? Or something else?

• It's looking like, as a solution, it may not be here to stay, but 
would something like <iframe seamless> help you? If not, would something 
else of the same kind?

• What if browsers provided an API that allowed them to sanitise content 
for you (with some parameters allowing you to control the whitelist), 
would that help? Would you use it? I consider this because presumably 
such an API would benefit from wide review, regular attacks, etc. — in 
other words what you want from such a security-critical piece of kit.

• Do you use CSP? If not, is there anything to fix with it that would 
make it work for you?

-- 
Robin Berjon - http://berjon.com/ - @robinberjon

Received on Tuesday, 4 February 2014 16:21:25 UTC