Taking QA Contact on all open or unverified DOM Style bugs...
Nominating this bug for nsbeta1 on behalf of firstname.lastname@example.org.
Removing nsbeta1 nomination -- there was a misunderstanding and some "approved out features" were nominated by mistake! Sorry!
so what needs to be done for this exactly?
I feel that we should absolutely not implement CSSUnknownRule....
*** Bug 157641 has been marked as a duplicate of this bug. ***
*** Bug 188321 has been marked as a duplicate of this bug. ***
bz: do you mean this should not be implemented for performance reasons, or other reasons?
This should not be implemented for security reasons (look up all the issues IE has been having because of their implementation) and because this section of the DOM spec flat-out contradicts the parsing rules in the CSS spec (the people who wrote the DOM spec didn't really know CSS and it shows in many places, this being one of them).
Mass-reassigning bugs to email@example.com
What did that comment have to do with this bug? As you said, bug 188321 has nothing to do with this bug; why did you even drag it in? The security issue here is that sites can load some random content as CSS (in quirks mode they can) and then access a parsed version of it via the CSSOM. If we allow CSSUnknownRule, then most of the content will be accessible in this fashion, allowing sites to read the content of arbitrary web pages (eg including ones that need the user's cookies to get). This would be a gross security violation. There is a known security vulnerability in IE along these lines, as I said.
Note http://lists.w3.org/Archives/Public/www-style/2003Oct/0347.html (which screams "wontfix this bug" to me).
Marking wontfix per comment 14.
4 years ago