- From: Robin Berjon <robin@w3.org>
- Date: Tue, 04 Feb 2014 17:21:16 +0100
- To: Neil Jenkins <neilj@fastmail.fm>, HTML for Email Community Group <public-htmail@w3.org>
Hi, welcome! I have to say that I really like the JMAP draft that FastMail released not long ago. On 04/02/2014 02:40 , Neil Jenkins wrote: > 1. Have a hidden iframe in which we inject the CSS. > 2. Build a DOM tree from the HTML using innerHTML in the scope of the > original page, but don't insert it into the document yet. > 3. Use the Stylesheets API to traverse the parsed CSS in the iframe, > then use querySelectorAll to find the elements in the DOM tree that > a rule applies to and apply the style directly to the elements. We > iterate backwards through the rules and don't override a style > already set, which maintains the basic precedence (direct attribute > > CSS rule, later rules > earlier rules), but doesn't match the > real CSS precedence. We also support most media queries. > 4. Strip the ids and class names from the elements to avoid any > conflicts with the CSS for the UI. > 5. Inject it into the page for the browser to render. Man, that's painful. There really should be a way of handling this more cleanly and off the shelf. I wonder (not just for FastMail, feedback from other implementers is of course welcome): • Does <style scoped> help you in any way? Would you need something else? • Regarding stuff like removing position: fixed, what if there were a way of indicating from a containing context that such properties (or in general positions outside of the box) are forbidden? Would that help? • I'm curious why you're not using an iframe to display the email content — is that for performance reasons? Or something else? • It's looking like, as a solution, it may not be here to stay, but would something like <iframe seamless> help you? If not, would something else of the same kind? • What if browsers provided an API that allowed them to sanitise content for you (with some parameters allowing you to control the whitelist), would that help? Would you use it? I consider this because presumably such an API would benefit from wide review, regular attacks, etc. — in other words what you want from such a security-critical piece of kit. • Do you use CSP? If not, is there anything to fix with it that would make it work for you? -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Tuesday, 4 February 2014 16:21:25 UTC