Closed
Bug 879275
Opened 12 years ago
Closed 6 years ago
Consider turning off -moz-box display types in untrusted stylesheets
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-needed, site-compat)
People keep using -moz-box/-webkit-box and then complaining that they render differently.
But why are we giving them this footgun? Can we just drop support for -moz-box in untrusted stylesheets? Or are there too many sites that depend on it? How close are we to unpreffing flexbox?
Comment 1•12 years ago
|
||
Flexbox is unpreffed in beta (from bug 841876), and the current plan is to let it stay unpreffed when that goes to release in a few weeks.
> Can we just drop support for -moz-box in untrusted stylesheets?
> Or are there too many sites that depend on it?
I think there might be too many sites... I suppose we could do analytics to answer that question more definitively ("how many sites use display:-moz-box without following it with display:flex"), if we end up really strongly considering this.
Reporter | ||
Comment 2•12 years ago
|
||
Ah, excellent. If flexbox is already unpreffed, maybe we should start by adding a warning when -moz-box is used in an untrusted stylesheet?
Comment 3•12 years ago
|
||
That might be a good idea.
I suspect there are a lot of sites that have both new and old flexbox, for fallback... And as long as we've got users on old Gecko versions (i.e. until ESR17 and B2G 1.0* have negligible userbases), it'd be unwise to encourage web developers to remove that fallback style.
So if we add a warning like this soon, we'd probably want to only warn if the *computed style* ends up having -moz-box, rather than just if we see -moz-box.
* (I believe B2G 1.0 uses pre-gecko-22, which is before flexbox was preffed on by default)
Reporter | ||
Comment 4•12 years ago
|
||
Computed style is hard because we don't know whether it originated in an untrusted sheet by that point....
Updated•11 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → Trunk
Comment 5•11 years ago
|
||
Is this likely to impact content we ship in Firefox (eg about:home, videocontrols), or is that covered by "trusted stylesheets"? If so we should probably start migrating such things to flexbox. [I suppose there is a similar concern for add-ons too.]
Reporter | ||
Comment 6•11 years ago
|
||
If the stylesheets are loaded from a chrome:// URI (or maybe chrome://content ?), they should be covered by "trusted stylesheets".
But we should start migrating to flexbox anyway.
Updated•11 years ago
|
Keywords: dev-doc-needed,
site-compat
Comment 7•11 years ago
|
||
advocacy-reviewed |
Just drop it completely. Stop being the IE6 of the current browsers.
(In reply to Boris Zbarsky [:bz] from comment #4)
> Computed style is hard because we don't know whether it originated in an
> untrusted sheet by that point....
We could probably issue the warning in nsCSSCompressedDataBlock::MapRuleInfoInto to get around that problem.
Assignee: nobody → dbaron
work in progress on the warning:
https://hg.mozilla.org/users/dbaron_mozilla.com/patches/raw-file/728ac3ced47c/unapplied.warn-xul-display-types
but putting it aside for now (see TODO at the top)
Assignee: dbaron → nobody
Comment 10•6 years ago
|
||
This is fixed as of bug 1496961. We don't parse the -moz- display values on content sheets anymore.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•