- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Fri, 13 Dec 2013 16:50:55 +1100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, Domenic Denicola <domenic@domenicdenicola.com>, Ian Hickson <ian@hixie.ch>, Webapps WG <public-webapps@w3.org>
On Thu, Dec 12, 2013 at 10:03 AM, Jonas Sicking <jonas@sicking.cc> wrote: > On Tue, Dec 10, 2013 at 8:24 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: >> On Wed, Dec 11, 2013 at 2:46 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: >>> On 12/10/13 6:30 PM, Jonas Sicking wrote: >>>> >>>> I would also think that you need properties to position the ::popout. >>> >>> >>> Oh, yes. The extra fun here is: >>> >>> 1) Should the popout be able to paint outside the browser window? Right >>> now, comboboxes (select size=1) can but normal CSS boxes cannot. >>> >>> 2) The popout needs to pop out in different directions (up or down) >>> depending on the screen position of the anchor, the popout dimensions, and >>> the screen dimensions. >>> >>> 3) The size of the popout needs to be capped in some way. >>> >>> Maybe all that logic should just live in the UA and the page just needs a >>> way of saying "here is a popout thingie, anchor it here". >> >> Yes, the "popout thingy" probably needs to be a specialized 'display' >> value that is only valid on the popout pseudo, so we can bottle the >> magic precisely. > > Allowing the popout thingy to go outside of the browser window, while > at the same time allowing it to be heavily customized, scares me a > lot. At some it allows click-jacking parent windows. Or even rendering > input controls in the parent window and steal data that the user > thinks he's entering into the parent. > > Even just detecting where in the parent window the user is hovering > the mouse or clicking could leak critical data if the user is unaware. > > Can we define a subset of styles that are safe? > > I had imagined that we pretty quickly would fall back to rendering the > popout only inside the same window. Sadly. Yeah, I imagine that while the popout is in the magic 'display' state, it only accepts a handful of text/bg properties. Considering the display modes of popouts in mobile browsers, that's about all we can allow anyway. You'd have to switch it to display:block or appearance:none or whatever to get full power, and then you lose the more magical aspects of popout behavior. (And browsers can always force it into the magical mode with a UA !important rule, which mobile browsers probably should do.) ~TJ
Received on Friday, 13 December 2013 05:51:43 UTC