Re: CSP and inline styles from Yoav Weiss on 2012-12-28 (public-webappsec@w3.org from December 2012)

From: Yoav Weiss <yoav@yoav.ws>
Date: Sat, 29 Dec 2012 00:59:46 +0100
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-webappsec@w3.org
Message-ID: <CACj=BEi=Wd-oZzfqwibg-5+1Jj0W_GC+Z1kqOtet8m8VS==yTA@mail.gmail.com>

 >> This is true no matter whether inline styles are banned, since even if
they're allowed the page can _still_ put @viewport in an external
stylesheet, no?

True, but the same applies today to dynamically re-writing the <base href>
URL in Javascript. It breaks the PreloadScanner, so it is considered a bad
practice and very few developers do that.
Since the @viewport "damage" is already done, I'm hoping it can be
mitigated by promoting its inlining as best practice. Banning inline styles
in CSP will crush that hope.

>> For what it's worth, it can only work at the cost of deoptimizing other
parts of pageload (e.g. by requiring a layout to determine viewport size
much earlier than it would be needed otherwise).

I currently have it working (in a Chromium prototype, but still...) and did
not notice any slow down. I do query the layout width, but it doesn't seem
like a costly operation. At first glance, it seems like it simply queries a
the RenderLayer's size, without requiring any actual rendering. This is my
first attempt at adding new elements to a browser, so I could be wrong, but
I didn't see any slow-down in the page's rendering and in the requests
issued by the PreloadScanner.
In any case, I'd be happy to continue this discussion off this thread,
since it is not directly related to CSP.

Yoav

On Fri, Dec 28, 2012 at 6:53 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 12/28/12 5:58 AM, Yoav Weiss wrote:
>
>> Furthermore, with the recent addition of `@viewport` to CSS, banning
>> inline styles would prevent the HTMLPreloadScanner/**Speculative-parser
>> from evaluating media queries, since viewport modifications may be
>> applied in external CSS that is loaded and parsed *after* the
>> HTMLPreloadScanner have run.
>>
>
> This is true no matter whether inline styles are banned, since even if
> they're allowed the page can _still_ put @viewport in an external
> stylesheet, no?
>
>
>  I have shown (at part of the RICG’s `picture` element prototyping[4])
>> that MQ evaluation in the PreloadScanner can work
>>
>
> For what it's worth, it can only work at the cost of deoptimizing other
> parts of pageload (e.g. by requiring a layout to determine viewport size
> much earlier than it would be needed otherwise).
>
> -Boris
>
>

Received on Saturday, 29 December 2012 00:00:18 UTC