- From: Thomas Ashe <Thomas.Ashe@Blackbaud.com>
- Date: Mon, 24 Jan 2000 12:29:12 -0500
- To: "'www-style'" <www-style@w3.org>
- Cc: "'Ian Hickson'" <py8ieh@bath.ac.uk>
On Saturday, January 22, 2000 5:44 PM, Ian Hickson [mailto:py8ieh@bath.ac.uk] wrote: > On Sat, 22 Jan 2000, Thomas Ashe wrote: > > > > For those of use developing web applications, I must ask how a user > > can use the display property safely. > > > > For example, say I serve a page that displays or hides elements > > using 'display', turning them on or off as the user makes choices on > > the page. > > Alarm bells immediately start ringing. Stylesheets should *never* be > used in cases where they are mandatory -- users can turn them off, can > turn off scripting, can override stylesheets, can use text browsers, > and perform any number of other atrocities to your pages. > > Remember: a stylesheet is only a set of *hints*. Nothing more. > If a user turns off scripting, it is easy enough to detect and alert the user that it is required for your application. If CSS is off, I'm sure that something similar can be done, though I haven't tried it specifically. (Turning them on and off is not available in certain popular UAs) But if a user overrides a CSS property...? How can an author detect this? I guess one could just set all of the display and visibility in code in the onload event. This should override anything set up in stylesheets, but you certainly are making the task a lot more difficult and take away the "Simplicity, Flexibility,etc..." that the CSS documents extol. > > > If the user adds: > > * {display:inline ! important; visibility:visible !important} > > ...then he will see all the fields, as he probably intended. > > > > Any scripts that perform validation are suddenly no longer able to > > rely on the fact that elements are only displayed when appropriate. > > Client-side scripts should not be used for validation. You have > absolutely no guarantee that client-side scripts will run, or how they > will run. Validation could be done client-side as a help to the user > to make sure that his data makes sense, but in the end the server must > ALWAYS validate the data itself. > Please, stop all!! :-) I did not mean to imply we are only performing validation on the client. We are certainly validating all things server-side. I was trying to point out one of the possible effects of the user modifying the stylesheets. I could care less if a user changes font and color properties for their preference or disability, but modifying display, visibility, and positioning seem like attributes that contain ravage pages. Ian, you stated in a previous email "...then the user controls layout, and can use 'display', 'margin', 'padding', 'border' and those I've forgotten safely." So I assume you mean that there are safe and unsafe things a user can do. Here are a few examples. 1) Say positioning is used. and labels are positioned with fields. removing positioning can remove the correlation between labels and the fields they represent providing the user with a jumbled mess of page elements. 2) Let's consider CSS-3 UI proposals. With this I should be able to serve up an XML document to a conforming User-Agent, who will then turn an XML element into a select list(drop-down, popup, whatever your vernacular), with content set to a certain set of values.(Say, a list of states in an address form.) Using a user!important stylesheet, a user can then turn this into a text input control. The user tries to submit the page and it returns an error. The user calls tech support to say that the server returned an error to them. The tech support agent is clueless as to how the user could enter an invalid 'State', since the tech support agent is probably unaware that anybody could modify the application on the client side. I think this gets back to the fact that two things are being commonly implemented on the Web. Publishing of documents, where no harm could be done when an author's stylesheet is overridden by a user, and web applications, where it much can be done to damage the effectiveness of the application. Regarding the cascade, it seems that it changed from CSS-1 with the author having the last say, to CSS-2 where the author has the last say unless it is an !important rule, where the user has the last say. Is this correct? With that being the case, you are effectively crippling applications is subtle ways that are much harder to pinpoint and debug. > If a page relies on stylesheets and/or scripting to be usable, then it > is clearly not using techniques for graceful degradation. Have you > checked the relevant pages on Lynx? No, we are not allowing for graceful degradation. When you are relying on CSS-2, HTML4, and DOM Level 1, there is really anything to degrade to. -Tom
Received on Monday, 24 January 2000 12:29:23 UTC