Can the same constructed stylesheet be used in two different Documents? #23
Comments
|
For the purposes of this question does "documents" include document fragments (so shadow roots) or just a |
|
This question is about different |
|
I would be weary of that possibility because I can see foresee instances where library authors might want to check if the object they get is an instance of |
|
I think if once a constructed stylesheet is associated with any browsing context (i.e. specified for |
TakayoshiKochi
added
the
needs resolution
|
Let's conclude that a constructed stylesheet can only be associated with one document. |
Currently, empty CSSStyleSheets can only be constructed using a constructor method. This CL adds Document.createEmptyCSSStyleSheet so that it can be tied to document in the future. Tying it to document restricts the use of a CSSStyleSheet in different documents, which means CSSStyleSheets can only be used in the documents where they are constructed. This will reduce security risk. Note: The constructed CSSStyleSheet is not currently tied to the Document yet Constructor method will be deleted in another CL createEmptyCSSStyleSheet(CSSStyleSheetInit) produces an empty CSSStyleSheet, while createCSSStyleSheet(text, CSSStyleSheetInit) creates a CSSStyleSheet with text Link to related comments in discussion: WICG/construct-stylesheets#23 (comment) WICG/construct-stylesheets#15 (comment) Bug: 807560 Change-Id: I94ea6f795deaf0dee67fba5c2705c8749ac72da8 Reviewed-on: https://chromium-review.googlesource.com/1160422 Commit-Queue: Momoko Sumida <momon@google.com> Reviewed-by: Hayato Ito <hayato@chromium.org> Reviewed-by: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#581169}
Currently, empty CSSStyleSheets can be constructed either with a constructor or with Document.createEmptyCSSStyleSheet. This CL deletes the constructor so that they can only be produced by Document.createEmptyCSSStyleSheet. Document.createEmptyCSSStyleSheet is considered to be more desirable, as CSSStyleSheets produced by Document.createEmptyCSSStyleSheet can be tied to documents in the future. This means that their use can be limited in the documents where they were produced, resulting in higher security. Note: The constructed CSSStyleSheet is not currently tied to the Document yet Link to related comments in discussion: WICG/construct-stylesheets#23 (comment) WICG/construct-stylesheets#15 (comment) Bug: 807560 Change-Id: I767e15e83e1f31eb278bc81233c8b579d0f511c7 Reviewed-on: https://chromium-review.googlesource.com/1164876 Reviewed-by: Rakina Zata Amni <rakina@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Commit-Queue: Momoko Sumida <momon@google.com> Cr-Commit-Position: refs/heads/master@{#581836}
This reverts commit af00b29. Reason for revert: Suspect for https://crbug.com/873015 I have low confidence that this is the culprit but it's my best guess. Original change's description: > Delete constructor for creating empty CSSStyleSheets > > Currently, empty CSSStyleSheets can be constructed either with a constructor or with Document.createEmptyCSSStyleSheet. > This CL deletes the constructor so that they can only be produced by Document.createEmptyCSSStyleSheet. > > Document.createEmptyCSSStyleSheet is considered to be more desirable, as CSSStyleSheets produced by Document.createEmptyCSSStyleSheet can be tied to documents in the future. This means that their use can be limited in the documents where they were produced, resulting in higher security. > > Note: > The constructed CSSStyleSheet is not currently tied to the Document yet > > Link to related comments in discussion: > WICG/construct-stylesheets#23 (comment) > WICG/construct-stylesheets#15 (comment) > > Bug: 807560 > Change-Id: I767e15e83e1f31eb278bc81233c8b579d0f511c7 > Reviewed-on: https://chromium-review.googlesource.com/1164876 > Reviewed-by: Rakina Zata Amni <rakina@chromium.org> > Reviewed-by: Hayato Ito <hayato@chromium.org> > Commit-Queue: Momoko Sumida <momon@google.com> > Cr-Commit-Position: refs/heads/master@{#581836} TBR=hayato@chromium.org,rakina@chromium.org,momon@google.com Change-Id: Iea70ff4dcc3a5ecf3a806b417572fd8f88e2e58b No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 807560, 873015 Reviewed-on: https://chromium-review.googlesource.com/1170462 Reviewed-by: Matt Giuca <mgiuca@chromium.org> Commit-Queue: Matt Giuca <mgiuca@chromium.org> Cr-Commit-Position: refs/heads/master@{#582054}
|
#35 resolves this. It can't be used in multiple |
After discussions in WICG/construct-stylesheets#23, we concluded that using the same constructable stylesheet in multiple Documents should not be allowed, as it can raise security risk. This CL bans the use of CSSStyleSheets in different Documents by introducing associated_document_ in CSSStyleSheet and checking if the style is applied to the same Document when it's added to AdoptedStyleSheets of any TreeScope. Link to the issue: WICG/construct-stylesheets#23 Link to related CLs: crrev.com/c/1197002 ^ Bring back moreStyleSheets as adoptedStyleSheets crrev.com/c/1160422 ^ Implement Document.createEmptyCSSStyleSheet Bug: 807560 Change-Id: Ia0ff0af8f9baeca09b14bcbeb10897cc99b5a0bf Reviewed-on: https://chromium-review.googlesource.com/1220527 Commit-Queue: Momoko Sumida <momon@google.com> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#591303}
|
Reopening after @annevk's comment on WICG/webcomponents#759 (comment). Maybe it's OK to make a stylesheet be usable in more than one Documents if we clearly define things that need to be defined? According to #10, the URL of the stylesheet will stay the same, that is the document it is constructed on. For fetch group, we might want to use the one for the document it's constructed on? Not sure, I'll try to find out... One of the other things that was pointed out was the security aspect - can we modify another Document's <style> element's stylesheet? If we can't, then maybe it make sense to not allow injecting a constructed stylesheet to another Document. cc @tabatkins, who might be able to help solve these questions |
|
Resolved with #61. |
|
Is it very annoying implementation-wise to change the adoption algorithm in Blink? At least in Gecko we do need to iterate over the whole subtree including shadows, so I'd be surprised if that was hard to implement. I'd also be a bit surprised if Blink didn't have to go through every adopted node and shadow tree as well. |
|
I'll let @rakina answer on implementability, but from what I remember at TPAC most folks were loathe to add steps to the generic DOM tree adopting algorithm that support a CSSOM-specific feature. That felt like a layering violation. I guess upon reflection it might not be so bad; we'd just define the adopting steps for all shadow roots as doing this CSSOM stuff. We additionally had the issue of how to surface errors. If the purpose is to prevent adoption, then we'd have to throw from the adopt algorithm. But that currently isn't done at all, which could have wider-ranging consequences. I think people had a few tricky examples, e.g. copying and pasting across documents. |
|
So my main concern with the proposed setup is that it requires the stylesheets in the adopted shadow root to hold on to the document they came from originally (via "constructor document") and thus keep it alive, even if it's now been unloaded, etc. @emilio and I talked this over and we'd like to propose two things:
That will guarantee that the sheets in Thoughts? |
Nothing in any spec right now requires it being possible to weakly reference documents, afaict.
Hmm. I though we were still using the constructor document to detect constructed sheets, but looks like we have a separate "constructed flag" for that now. So I was just wrong there.
We'd just need to define adopting steps, not actually change adopt-a-node itself, right? I agree that it's not clear how this maps onto what implementations do.
Well, plus the weak ref machinery. I agree that given the "constructed flag" it should be possible to spec the weak ref stuff the way it should be implemented, as long as all implementations are on board with it. |
|
Thanks, seems like we're iterating toward two potentially-workable options. Here's my attempt at a summary, hopefully not too biased:
Note that I think both options would need an opt-in if we ever discover a use case and want to allow cross-document usage in the future. With these in hand, and remembering my priority of constituencies, I'm leaning a bit toward "prohibit the sheets". But I'd love to step back and give others a chance to comment or expand the pros/cons list. |
|
So is the big problem here the fetch group? Hold by the document and used by the style sheet. And a fetch group gets all its fetches canceled when a document's browsing context is navigated or goes away. And using the fetch group from the new document would mess up already ongoing fetches. Does the attempt to adopt have any impact on ongoing fetches in either solution? I.e., are they canceled? I guess since they are ignored/prohibited we'd just leave them alone. I guess the involved solution here is for the style sheet to have its own fetch group which is reference counted from the various fetch groups of the documents it's adopted in. We have nested fetch groups (not really specified though), but the reference counting aspect would be novel. |
|
Hmm, I'm not sure whether the fetch group is relevant to ignore vs. prohibit. The current spec says
which seems "good enough"... |
|
I meant that the reason folks want this strongly tied to a single document is the fetch group architecture, which albeit poorly defined, is a thing browsers have. |
Yes, it was a big reason (see #15) for not allowing multiple Document usages for now (along with complexity in implementation?) |
When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4
When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4
|
After thinking about it, I think it is better to prohibit the sheets and clear the adopted sheets on adoption to a different document like @bzbarsky's comment on #23 (comment). Blink's implementation had been updated, and I'll update the spec soon. |
When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660}
When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660}
When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660}
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/master@{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: b4cf67a4729e9d46e658cab1017f5296a96422fc
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: bb4af440bf34a125819c106faeb8be867a22ab3f
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: b4cf67a4729e9d46e658cab1017f5296a96422fc
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: bb4af440bf34a125819c106faeb8be867a22ab3f
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: b4cf67a4729e9d46e658cab1017f5296a96422fc
… to a different document, a=testonly Automatic update from web-platform-tests Remove adopted stylesheets when adopting to a different document When adopting a subtree to a different document, we'll remove all the adopted stylesheets in that subtree, instead of keeping them and then ignoring them in style calculation. Relevant discussion: WICG/construct-stylesheets#23 Bug: 807560 Change-Id: I7ea6c869892cabd9d3b5a765f26364e51b1419b4 Reviewed-on: https://chromium-review.googlesource.com/c/1415068 Reviewed-by: Rune Lillesveen <futharkchromium.org> Commit-Queue: Rakina Zata Amni <rakinachromium.org> Cr-Commit-Position: refs/heads/master{#623660} -- wpt-commits: 52006fa6b573b044a4940dc7725f7151bfd8b1f9 wpt-pr: 14921 UltraBlame original commit: bb4af440bf34a125819c106faeb8be867a22ab3f
|
@rakina can this issue be closed? I think your spec changes to follow the #23 (comment) proposal were made. |
|
Oops yeah forgot to actually close the issue. Thanks! |
Should adding the same constructed stylesheet in two different Documents be allowed? If it is, can it be used as a security attack vector?
The text was updated successfully, but these errors were encountered: