When we allow base URLs to have `data:` scheme, as required by the URL standard and tested in Interop 2023 URL focus area, the test below I think will hang Firefox, just like it currently hangs Chrome: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11967 ``` <!-- quirks --> <link rel=stylesheet href="data:/, @import url('x/');"> Does this hang the browser? ``` What the test does is that it first loads a stylesheet with a data: URL that has the MIME type "/" and the contents " @import url('x/');". The document is in quirks mode, where non-CSS-MIME-type same-origin stylesheet loads are allowed. The stylesheet then imports the relative URL 'x/', which is resolved against the stylesheet's URL (which is "data:/, @import url('x/');"), which, per the URL standard is "data:/, @import url('x/x/". The CSS parser auto-closes strings and functions, so the imported stylesheet imports a new URL, and so on. Also see spec issue [2]. Gecko applies the stylesheet, but currently disallows data: as base URLs. The latter will be changed to conform with the URL standard (https://bugzilla.mozilla.org/show_bug.cgi?id=url), so we need to fix this issue also to avoid the hang. In WebKit and per the HTML standard [1], the first stylesheet should be rejected because the origin of the URL is a new opaque origin, which is not same origin with the document. A simpler test that only exercises the origin check without hanging: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11968 <!-- quirks --> <link rel=stylesheet href="data:text/plain,html { background: red }"> There should be no red. [1] "If the document has been set to quirks mode, has the same origin as the URL of the external resource" https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet and "Otherwise Return a new opaque origin." https://url.spec.whatwg.org/#origin [2] https://github.com/whatwg/html/issues/2249
Bug 1850965 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
When we allow base URLs to have `data:` scheme, as required by the URL standard and tested in Interop 2023 URL focus area, the test below I think will hang Firefox, just like it currently hangs Chrome: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11967 ``` <!-- quirks --> <link rel=stylesheet href="data:/, @import url('x/');"> Does this hang the browser? ``` What the test does is that it first loads a stylesheet with a data: URL that has the MIME type "/" and the contents " @import url('x/');". The document is in quirks mode, where non-CSS-MIME-type same-origin stylesheet loads are allowed. The stylesheet then imports the relative URL 'x/', which is resolved against the stylesheet's URL (which is "data:/, @import url('x/');"), which, per the URL standard is "data:/, @import url('x/x/". The CSS parser auto-closes strings and functions, so the imported stylesheet imports a new URL, and so on. Also see spec issue [2]. Gecko applies the stylesheet, but currently disallows data: as base URLs. The latter will be changed to conform with the URL standard (https://bugzilla.mozilla.org/show_bug.cgi?id=url), so we need to fix this issue also to avoid the hang. In WebKit and per the HTML standard [1], the first stylesheet should be rejected because the origin of the URL is a new opaque origin, which is not same origin with the document. A simpler test that only exercises the origin check without hanging: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11968 ``` <!-- quirks --> <link rel=stylesheet href="data:text/plain,html { background: red }"> There should be no red. ``` [1] "If the document has been set to quirks mode, has the same origin as the URL of the external resource" https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet and "Otherwise Return a new opaque origin." https://url.spec.whatwg.org/#origin [2] https://github.com/whatwg/html/issues/2249