Open Bug 1850965 Opened 11 months ago Updated 11 months ago

Stylesheet loading quirk incorrectly allows loading data: with non-CSS MIME type

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: zcorpan, Unassigned, NeedInfo)

Details

When we allow base URLs to have data: scheme, as required by the URL standard and tested in Interop 2023 URL focus area, the test below I think will hang Firefox, just like it currently hangs Chrome:

http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11967

<!-- quirks -->
<link rel=stylesheet href="data:/, @import url('x/');">
Does this hang the browser?

What the test does is that it first loads a stylesheet with a data: URL that has the MIME type "/" and the contents " @import url('x/');". The document is in quirks mode, where non-CSS-MIME-type same-origin stylesheet loads are allowed. The stylesheet then imports the relative URL 'x/', which is resolved against the stylesheet's URL (which is "data:/, @import url('x/');"), which, per the URL standard is "data:/, @import url('x/x/". The CSS parser auto-closes strings and functions, so the imported stylesheet imports a new URL, and so on.

Also see spec issue [2].

Gecko applies the stylesheet, but currently disallows data: as base URLs. The latter will be changed to conform with the URL standard (https://bugzilla.mozilla.org/show_bug.cgi?id=url), so we need to fix this issue also to avoid the hang.

In WebKit and per the HTML standard [1], the first stylesheet should be rejected because the origin of the URL is a new opaque origin, which is not same origin with the document.

A simpler test that only exercises the origin check without hanging:
http://software.hixie.ch/utilities/js/live-dom-viewer/saved/11968

<!-- quirks -->
<link rel=stylesheet href="data:text/plain,html { background: red }">
There should be no red.

[1] "If the document has been set to quirks mode, has the same origin as the URL of the external resource"
https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet
and
"Otherwise
Return a new opaque origin."
https://url.spec.whatwg.org/#origin

[2] https://github.com/whatwg/html/issues/2249

For the record, the import load starts in here. Don't know where the cross-origin check happens off the top of my head tho.

Severity: -- → S3

NI myself to take a look

Flags: needinfo?(sefeng)
status-firefox119: affected → ---
Flags: needinfo?(sefeng)
Flags: needinfo?(sefeng)
You need to log in before you can comment on or make changes to this bug.