Closed Bug 346945 Opened 18 years ago Closed 14 years ago

cross-domain css permission denied in document.styleSheets.cssRules

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: spam, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702

see http://dullsville.com/bug/css_testgood.html for working example

If css is loaded cross-domain, it isn't possible to access the cssRules or selectorText for the linked stylesheet.  XD rules should not prohibit this.

Reproducible: Always

Steps to Reproduce:
1. Create an HTML page with a linked stylesheet from a different domain
2. Set document.domain to top-level domain
3. Access the stylesheet programatically from javascript with document.styleSheets[].cssRules[]


Actual Results:  
Error: uncaught exception: [Exception... "Access to restricted URI denied"  code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"  location: "http://dullsville.com/bug/css_testbad.html Line: 14"]

Expected Results:  
Stylesheet should have been accessible due to same-origin domain policies

http://www.mozilla.org/projects/security/components/jssec.html says this should work, is that the correct security reference?
Both pages display the same (expected) behavior under IE, but I might just be confused as to how this is supposed to work.  Should I be able to set www.domain.com as the document.domain to allow access to that subdomain?
punting to DOM
Assignee: general → general
Component: General → DOM
OS: Windows XP → All
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Version: unspecified → Trunk
I just got bit by this too.
I have the same issue - setting document.domain='mydomain.com' doesn't allow me to parse stylesheets from 'test.mydomain.com' it throws the error detailed above
Assignee: general → nobody
QA Contact: ian → general
This is done very much on purpose.  Cross-site access to this information can result in serious privacy leaks, which the security check prevents.

Note that you do NOT have cross-site access for scripting HTML resources; CSS resources are just no different in that regard.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
claim: this bug makes it impossible for content at XYZ.com:80 to have a ws:// or XHR connection to XYZ.com:81 and to subsequently edit document.styleSheets on Firefox.

Am I wrong?
I believe you're wrong, unless you're setting document.domain or something.

If you think you have a testcase that shows that behavior, please do file a separate bug and cc me?
What "serious privacy leaks" are you concerned about? None of the other major browser vendors ave this restriction, and the content of the stylesheet is always obtainable via XHR or fetch() within the constraints of CORS. This restriction appears to be an outdated solution that can go away.
> What "serious privacy leaks" are you concerned about?

There are sites that customize stylesheets based on whether users are logged in, for example.

> and the content of the stylesheet is always obtainable via XHR or fetch() within the constraints of CORS.

Sure.  If CORS is involved, you can set the "crossorigin" attribute on the link, get the sheet via CORS, and then access the rules.  This whole discussion is about cases when CORS does _not_ allow access to the data.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.