Closed Bug 1302991 Opened 9 years ago Closed 4 years ago

Empty url()s should not load anything

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox87 --- fixed

People

(Reporter: sebo, Assigned: emilio)

References

Details

Attachments

(4 files)

Test case
154 bytes, text/html
Details
Bug 1302991 - Empty url()s should not load or request anything
58 bytes, text/x-review-board-request
Details
Bug 1302991 - Move the check to prevent loading internal resources as images. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1302991 - Do not try to resolve empty CSS url values. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file Test case
CSS Values 3 says[1] this: > If the value of the url() is the empty string (like url("") or url()), the url > must resolve to an invalid resource (similar to what the url about:invalid does). Though Gecko currently causes a request for them, as shown in the attached test case. Sebastian [1] https://drafts.csswg.org/css-values-3/#url-empty
The right fix here is probably to make css::URLValueData::GetURI() skip the NS_NewURI call if the string is null and hence treat the situation just like we treat NS_NewURI failing (i.e. invalid URL).
Mentor: bzbarsky
@Boris: It seems that I couldn't assign you as a reviewer because you aren't accepting any requests; please feel free to review it whenever you can. :) Also, since I am not at all familiar with this part of the codebase, I am not entirely sure if the one check that I inserted will handle all the empty/null string cases. It does work for the attached testcase though (which is url() and not url("") or something else). We should probably lock this down using a test as well.
Priority: -- → P3
Comment on attachment 8805310 [details] Bug 1302991 - Empty url()s should not load or request anything David, as Boris currently doesn't accept review requests, could you please do a review for this? Or forward the request to someone else, so this code doesn't bitrot?
Attachment #8805310 - Flags: review?(dbaron)
Assignee: nobody → sumi29
Status: NEW → ASSIGNED
Comment on attachment 8805310 [details] Bug 1302991 - Empty url()s should not load or request anything https://reviewboard.mozilla.org/r/89054/#review177634 Two surface concerns are: * it's better not to call NS_ConvertUTF16toUTF8(nsCSSValue::GetBufferValue(mString)) twice; it should instead be put in a variable. * mURIResolved should be set to true even if it's the empty string, so we don't keep executing the code However, the bigger concern is what happens with stylo. I'm not sure whether this code will still be used for this once we enable stylo (layout.css.servo.enabled). There probably are also a few other cases that would need to be handled, since this code doesn't handle url() for @import rules or @namespace rules and maybe for some other case.
Attachment #8805310 - Flags: review?(dbaron)
Given how long this has sat already, I think it's best to come back to this in a month or two once stylo settles down.
Flags: needinfo?(dbaron)
Makes sense - thanks for the review David. Let's revisit this after the dust from Stylo has settled down.
Stylo has settled down. Probably worth looking at this again. Sumit, are you still in a position to work on this?
Flags: needinfo?(sumi29)

Sumit obviously wasn't active on Bugzilla for more than a year and didn't answer to Boris' request, therefore I reset the assignee now.

Sebastian

Assignee: sumi29 → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(sumi29)
Mentor: bzbarsky
Priority: P3 → --

Stylo has settled for quite some time now, so maybe this could be reprioritized now.

For what it's worth, there was an issue mentioned on Stack Overflow lately, which was caused by this.

Furthermore, Chromium has the same issue and also has a bug filed for it.

Sebastian

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Flags: needinfo?(dbaron)

No behavior change, but the new place seems more appropriate.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

So as to not try to load the same document as a subresource.

Depends on D103716

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fd4ba1eeec00 Move the check to prevent loading internal resources as images. r=dholbert https://hg.mozilla.org/integration/autoland/rev/e4734e2b38b6 Do not try to resolve empty CSS url values. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/27472 for changes under testing/web-platform/tests
Upstream PR was closed without merging

Broken test.

Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5785ba1a0aba Move the check to prevent loading internal resources as images. r=dholbert https://hg.mozilla.org/integration/autoland/rev/a2e7db8b9e98 Do not try to resolve empty CSS url values. r=dholbert

https://hg.mozilla.org/mozilla-central/rev/5785ba1a0aba
https://hg.mozilla.org/mozilla-central/rev/a2e7db8b9e98

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: