Closed Bug 879275 Opened 7 years ago Closed 2 years ago

Consider turning off -moz-box display types in untrusted stylesheets

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: bzbarsky, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-needed, site-compat)

People keep using -moz-box/-webkit-box and then complaining that they render differently.

But why are we giving them this footgun?  Can we just drop support for -moz-box in untrusted stylesheets?  Or are there too many sites that depend on it?  How close are we to unpreffing flexbox?
Flexbox is unpreffed in beta (from bug 841876), and the current plan is to let it stay unpreffed when that goes to release in a few weeks.

> Can we just drop support for -moz-box in untrusted stylesheets?
> Or are there too many sites that depend on it?

I think there might be too many sites...  I suppose we could do analytics to answer that question more definitively ("how many sites use display:-moz-box without following it with display:flex"), if we end up really strongly considering this.
Ah, excellent.  If flexbox is already unpreffed, maybe we should start by adding a warning when -moz-box is used in an untrusted stylesheet?
That might be a good idea.

I suspect there are a lot of sites that have both new and old flexbox, for fallback... And as long as we've got users on old Gecko versions (i.e. until ESR17 and B2G 1.0* have negligible userbases), it'd be unwise to encourage web developers to remove that fallback style.

So if we add a warning like this soon, we'd probably want to only warn if the *computed style* ends up having -moz-box, rather than just if we see -moz-box.

* (I believe B2G 1.0 uses pre-gecko-22, which is before flexbox was preffed on by default)
Computed style is hard because we don't know whether it originated in an untrusted sheet by that point....
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → Trunk
Is this likely to impact content we ship in Firefox (eg about:home, videocontrols), or is that covered by "trusted stylesheets"? If so we should probably start migrating such things to flexbox. [I suppose there is a similar concern for add-ons too.]
If the stylesheets are loaded from a chrome:// URI (or maybe chrome://content ?), they should be covered by "trusted stylesheets".

But we should start migrating to flexbox anyway.
Just drop it completely. Stop being the IE6 of the current browsers.
(In reply to Boris Zbarsky [:bz] from comment #4)
> Computed style is hard because we don't know whether it originated in an
> untrusted sheet by that point....

We could probably issue the warning in nsCSSCompressedDataBlock::MapRuleInfoInto to get around that problem.
Assignee: nobody → dbaron
work in progress on the warning:
https://hg.mozilla.org/users/dbaron_mozilla.com/patches/raw-file/728ac3ced47c/unapplied.warn-xul-display-types
but putting it aside for now (see TODO at the top)
Assignee: dbaron → nobody
Blocks: 914360
See Also: → 619476
Blocks: 1288572
Blocks: unprefix
No longer blocks: 914360, 1288572
Depends on: 1288572
Depends on: 1477553
Depends on: 1496961
This is fixed as of bug 1496961. We don't parse the -moz- display values on content sheets anymore.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
See Also: → 1255315
You need to log in before you can comment on or make changes to this bug.