Consider turning off -moz-box display types in untrusted stylesheets

NEW
Unassigned

Status

()

5 years ago
10 days ago

People

(Reporter: bzbarsky, Unassigned)

Tracking

(Blocks: 1 bug, {dev-doc-needed, site-compat})

Trunk
dev-doc-needed, site-compat
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

People keep using -moz-box/-webkit-box and then complaining that they render differently.

But why are we giving them this footgun?  Can we just drop support for -moz-box in untrusted stylesheets?  Or are there too many sites that depend on it?  How close are we to unpreffing flexbox?
Flexbox is unpreffed in beta (from bug 841876), and the current plan is to let it stay unpreffed when that goes to release in a few weeks.

> Can we just drop support for -moz-box in untrusted stylesheets?
> Or are there too many sites that depend on it?

I think there might be too many sites...  I suppose we could do analytics to answer that question more definitively ("how many sites use display:-moz-box without following it with display:flex"), if we end up really strongly considering this.
(Reporter)

Comment 2

5 years ago
Ah, excellent.  If flexbox is already unpreffed, maybe we should start by adding a warning when -moz-box is used in an untrusted stylesheet?
That might be a good idea.

I suspect there are a lot of sites that have both new and old flexbox, for fallback... And as long as we've got users on old Gecko versions (i.e. until ESR17 and B2G 1.0* have negligible userbases), it'd be unwise to encourage web developers to remove that fallback style.

So if we add a warning like this soon, we'd probably want to only warn if the *computed style* ends up having -moz-box, rather than just if we see -moz-box.

* (I believe B2G 1.0 uses pre-gecko-22, which is before flexbox was preffed on by default)
(Reporter)

Comment 4

5 years ago
Computed style is hard because we don't know whether it originated in an untrusted sheet by that point....
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → Trunk
Is this likely to impact content we ship in Firefox (eg about:home, videocontrols), or is that covered by "trusted stylesheets"? If so we should probably start migrating such things to flexbox. [I suppose there is a similar concern for add-ons too.]
(Reporter)

Comment 6

5 years ago
If the stylesheets are loaded from a chrome:// URI (or maybe chrome://content ?), they should be covered by "trusted stylesheets".

But we should start migrating to flexbox anyway.

Updated

5 years ago
Keywords: dev-doc-needed, site-compat

Comment 7

5 years ago
advocacy-reviewed
Just drop it completely. Stop being the IE6 of the current browsers.
(In reply to Boris Zbarsky [:bz] from comment #4)
> Computed style is hard because we don't know whether it originated in an
> untrusted sheet by that point....

We could probably issue the warning in nsCSSCompressedDataBlock::MapRuleInfoInto to get around that problem.
Assignee: nobody → dbaron
work in progress on the warning:
https://hg.mozilla.org/users/dbaron_mozilla.com/patches/raw-file/728ac3ced47c/unapplied.warn-xul-display-types
but putting it aside for now (see TODO at the top)
Assignee: dbaron → nobody

Updated

5 years ago
Blocks: 914360

Updated

4 years ago
See Also: → bug 619476

Updated

6 months ago
Blocks: 1288572

Updated

3 months ago
Blocks: 775235

Updated

3 months ago
No longer blocks: 914360, 1288572
Depends on: 1288572

Updated

2 months ago
Depends on: 1477553

Updated

10 days ago
Depends on: 1496961
You need to log in before you can comment on or make changes to this bug.