[whatwg] Selectors within <style scoped>

On Wed, 20 Jul 2011 20:55:51 +0100, Ashley Sheridan  
<ash at ashleysheridan.co.uk> wrote:

>> <div id=widget>
>>    <style scoped>
>>      #widget foo {}
>>    </style>
>> </div>
>
> While I agree that that might be a common pattern, I disagree that it's
> actually a good one. Consider an ad service which wraps everything in a
> custom <div> tag. If the scope allowed the immediate parent to be
> included as part of the scope, then it could allow the advert to be
> altered in a way that could negatively affect the users of the site the
> ad appeared on.

The site could wrap the ad in another div to prevent that (and this is  
typical when the site wants to create fixed-size ad slot).

> The purpose of scope in the style seems to be to protect elements
> outside of the included content and to 'contain' the included content
> that has the <style scoped> element in it, presumably because it's
> coming from an external source. If you allowed the immediate parent as
> your example, then it could allow the 3rd parties who created the advert
> to take over the element beyond what the advert service would prefer to
> be allowed.

For rogue 3rd parties there's <iframe> in seamless and sandboxed flavors.

If author is allowing untrusted and misbehaving code in the DOM, then it's  
already game over ? the ad can do anything, including creating <style>  
without scope and modifying other stylesheets.

Even scoped style could use position:absolute or fixed to modify looks of  
something outside the element.

-- 
regards, Kornel Lesi?ski

Received on Wednesday, 20 July 2011 13:37:33 UTC