RE: user!important from Ian Hickson on 2000-01-27 (www-style@w3.org from January 2000)

From: Ian Hickson <py8ieh@bath.ac.uk>
Date: Thu, 27 Jan 2000 23:55:57 +0000 (GMT)
To: Thomas Ashe <Thomas.Ashe@blackbaud.com>
cc: "'www-style'" <www-style@w3.org>
Message-ID: <Pine.GSO.4.04.10001242340050.28883-100000@mary.bath.ac.uk>
On Mon, 24 Jan 2000, Thomas Ashe wrote:
>>> For those of use developing web applications, I must ask how a
>>> user can use the display property safely.
>>> 
>>> For example, say I serve a page that displays or hides elements
>>> using 'display', turning them on or off as the user makes choices
>>> on the page.
>> 
>> Alarm bells immediately start ringing. Stylesheets should *never*
>> be used in cases where they are mandatory -- users can turn them
>> off, can turn off scripting, can override stylesheets, can use text
>> browsers, and perform any number of other atrocities to your pages.
>> 
>> Remember: a stylesheet is only a set of *hints*. Nothing more.
> 
> If a user turns off scripting, it is easy enough to detect and alert
> the user that it is required for your application.

Hmm. Doesn't help much if your UA doesn't support scripting (e.g.
Lynx) or if you are behind a firewall which strips scripts for
security reasons.

You shouldn't _need_ scripts for the page to be usable. They should
just be helpful.

 
> If CSS is off, I'm sure that something similar can be done, though I
> haven't tried it specifically. (Turning them on and off is not
> available in certain popular UAs)

There are several ways, as mentioned by David Wagner.

 
> I did not mean to imply we are only performing validation on the
> client. We are certainly validating all things server-side.

Glad to hear it! :-D

 
> I was trying to point out one of the possible effects of the user
> modifying the stylesheets.
> 
> I could care less if a user changes font and color properties for
> their preference or disability, but modifying display, visibility,
> and positioning seem like attributes that contain ravage pages.

The page is marked up using a publicly known structural language,
right? (e.g., HTML.)

In that case, the user will know what elements represent what, and be
able to style your document (and all other documents) in a reasonable
manner. If the user starts using 'visibility' and 'display', then yes,
of course they are letting themselves into a dangerous area. But you
do not need to worry about this. The user is doing it because he knows
what he is doing, and wants everything to be visible (or whatever).
Provided we all follow known, structural, standards (currently mainly
HTML), then the result should be ok.


>> ...then the user controls layout, and can use 'display', 'margin',
>> 'padding', 'border', and those I've forgotten, safely."
> So I assume you mean that there are safe and unsafe things a user
> can do.

Yes -- only declare _some_ of the above. If the user only sets the
margin property, for example, then the result is bound to clash with
the author's setting of the 'width' property. And then results _will_
be nasty. Just like setting 'color' and not 'background'.


> 1) Say positioning is used. and labels are positioned with fields.
> removing positioning can remove the correlation between labels and
> the fields they represent providing the user with a jumbled mess of
> page elements.

Not if you are designing your pages in a structural way...

Anyway, assuming you are using 

   <label for="id"> ... </label>
   [...]
   <input id="id" ...>

...then using my recently suggested /attr/ proposal, you can make sure
that the fields and labels stick together.


> 2) Let's consider CSS-3 UI proposals. 

Ouch. Those are more of a difficult point. I would not recommend the
user messing about with the UI properties, since they change behaviour
and not what the page actually _looks_ like.

I can't really think of a time where the user would _want_ to change
the UI properties, though.

 
>> If a page relies on stylesheets and/or scripting to be usable, then
>> it is clearly not using techniques for graceful degradation. Have
>> you checked the relevant pages on Lynx?
> No, we are not allowing for graceful degradation. When you are
> relying on CSS-2, HTML4, and DOM Level 1, there is really anything
> to degrade to.

Why are you _relying_ on CSS2? And client side scripting? What
features of CSS and scripting are required by you?

Graceful degradation is _required_ if you want your Web Applications
to work on upcoming platforms like PDAs and internet-by-voice phones.

-- 
Ian Hickson                            ("`-''-/").___..--''"`-._   
http://www.bath.ac.uk/%7Epy8ieh/        `6_ 6  )   `-.  (     ).`-.__.`)
                                        (_Y_.)'  ._   )  `._ `. ``-..-' fL
Member, Mozilla Quality Assurance     _..`--'_..-_/  /--'_.' ,'
Browser Standards Compliance Team    (il).-''  (li).'  ((!.-'
Received on Thursday, 27 January 2000 18:56:46 UTC