Closed
Bug 346945
Opened 18 years ago
Closed 14 years ago
cross-domain css permission denied in document.styleSheets.cssRules
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: spam, Unassigned)
References
()
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702 see http://dullsville.com/bug/css_testgood.html for working example If css is loaded cross-domain, it isn't possible to access the cssRules or selectorText for the linked stylesheet. XD rules should not prohibit this. Reproducible: Always Steps to Reproduce: 1. Create an HTML page with a linked stylesheet from a different domain 2. Set document.domain to top-level domain 3. Access the stylesheet programatically from javascript with document.styleSheets[].cssRules[] Actual Results: Error: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "http://dullsville.com/bug/css_testbad.html Line: 14"] Expected Results: Stylesheet should have been accessible due to same-origin domain policies http://www.mozilla.org/projects/security/components/jssec.html says this should work, is that the correct security reference?
Reporter | ||
Comment 1•18 years ago
|
||
Both pages display the same (expected) behavior under IE, but I might just be confused as to how this is supposed to work. Should I be able to set www.domain.com as the document.domain to allow access to that subdomain?
Comment 2•18 years ago
|
||
punting to DOM
Assignee: general → general
Component: General → DOM
OS: Windows XP → All
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Version: unspecified → Trunk
Comment 3•17 years ago
|
||
I just got bit by this too.
I have the same issue - setting document.domain='mydomain.com' doesn't allow me to parse stylesheets from 'test.mydomain.com' it throws the error detailed above
Updated•15 years ago
|
Assignee: general → nobody
QA Contact: ian → general
Comment 5•14 years ago
|
||
This is done very much on purpose. Cross-site access to this information can result in serious privacy leaks, which the security check prevents. Note that you do NOT have cross-site access for scripting HTML resources; CSS resources are just no different in that regard.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Comment 6•12 years ago
|
||
claim: this bug makes it impossible for content at XYZ.com:80 to have a ws:// or XHR connection to XYZ.com:81 and to subsequently edit document.styleSheets on Firefox. Am I wrong?
Comment 7•12 years ago
|
||
I believe you're wrong, unless you're setting document.domain or something. If you think you have a testcase that shows that behavior, please do file a separate bug and cc me?
What "serious privacy leaks" are you concerned about? None of the other major browser vendors ave this restriction, and the content of the stylesheet is always obtainable via XHR or fetch() within the constraints of CORS. This restriction appears to be an outdated solution that can go away.
Comment 9•6 years ago
|
||
> What "serious privacy leaks" are you concerned about? There are sites that customize stylesheets based on whether users are logged in, for example. > and the content of the stylesheet is always obtainable via XHR or fetch() within the constraints of CORS. Sure. If CORS is involved, you can set the "crossorigin" attribute on the link, get the sheet via CORS, and then access the rules. This whole discussion is about cases when CORS does _not_ allow access to the data.
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•