Horizontal Review request for CSS Custom Highlight API Level 1

Hi security people,

The CSSWG's Custom Highlight API Module Level 1 was recently published as a FPWD, and as one of its editors, I thought this was a good time to let you know of its existence and invite initial review.


The Custom Highlight API extends the concept of highlight pseudo-elements (see CSS Pseudo-Elements 4 §3 Highlight Pseudo-elements) by providing a way for web developers to style the text of arbitrary Range objects, rather than being limited to the user agent defined ::selection, ::inactive-selection, ::spelling-error, and ::grammar-error. This is useful in a variety of scenarios, including editing frameworks that wish to implement their own selection, find-on-page over virtualized documents, multiple selection to represent online collaboration, or spellchecking frameworks.

The Custom Highlight API provides a programmatic way of adding and removing highlights that do not affect the underlying DOM structure, but instead applies styles to text based on range objects, accessed via the ::highlight() pseudo element.

These custom highlights are currently thought not to introduce any security concern, but the CSSWG would be interested to know if you can spot something we missed.

You may find the results of the security and privacy questionnaire at:


as well as the privacy and security section of specification at:


Please raise any issues in the csswg GitHub repo, using a separate issue for each concern:


If you think this specification has nothing of interest for your group, please let us know. Otherwise, we will request review again when we get close to CR, and if anything major changes before then.


Received on Tuesday, 8 December 2020 12:23:48 UTC