W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: CSP and inline styles

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 28 Dec 2012 16:46:30 -0800
Message-ID: <50DE3D66.9080807@mit.edu>
To: Yoav Weiss <yoav@yoav.ws>
CC: public-webappsec@w3.org
On 12/28/12 3:59 PM, Yoav Weiss wrote:
> I do query the layout width, but it
> doesn't seem like a costly operation. At first glance, it seems like it
> simply queries a the RenderLayer's size, without requiring any actual
> rendering.

In the case of Gecko, at least, asking for the size of a frame will 
force layout of all the frame's ancestors.  Furthermore, asking for the 
size of the viewport even in a top-level frame has to do various 
calculations that are usually deferred and may have to be redone, 
because the size in CSS pixels can depend on the contents of the 
document in various interesting ways.

> and in the requests issued by the PreloadScanner.

In Gecko's case, the equivalent of the PreloadScanner will start its 
preloads before any sort of geometry information about the viewport is 
available, in some cases before you know which viewport is involved, 
certainly before any inline styles have been parsed.

Chrome's equivalent is not as aggressive about preloading, having it 
wait until it's parsed an @viewport rule doesn't change much.

> In any case, I'd be happy to continue this discussion off this thread,
> since it is not directly related to CSP.

Well... it sort of is, since you're using this as an argument for 
changes to CSP...

Received on Saturday, 29 December 2012 00:47:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC