- From: Kornel Lesiński <kornel@geekhood.net>
- Date: Wed, 20 Jul 2011 21:37:33 +0100
On Wed, 20 Jul 2011 20:55:51 +0100, Ashley Sheridan <ash at ashleysheridan.co.uk> wrote: >> <div id=widget> >> <style scoped> >> #widget foo {} >> </style> >> </div> > > While I agree that that might be a common pattern, I disagree that it's > actually a good one. Consider an ad service which wraps everything in a > custom <div> tag. If the scope allowed the immediate parent to be > included as part of the scope, then it could allow the advert to be > altered in a way that could negatively affect the users of the site the > ad appeared on. The site could wrap the ad in another div to prevent that (and this is typical when the site wants to create fixed-size ad slot). > The purpose of scope in the style seems to be to protect elements > outside of the included content and to 'contain' the included content > that has the <style scoped> element in it, presumably because it's > coming from an external source. If you allowed the immediate parent as > your example, then it could allow the 3rd parties who created the advert > to take over the element beyond what the advert service would prefer to > be allowed. For rogue 3rd parties there's <iframe> in seamless and sandboxed flavors. If author is allowing untrusted and misbehaving code in the DOM, then it's already game over ? the ad can do anything, including creating <style> without scope and modifying other stylesheets. Even scoped style could use position:absolute or fixed to modify looks of something outside the element. -- regards, Kornel Lesi?ski
Received on Wednesday, 20 July 2011 13:37:33 UTC