|cssRules null when stylesheets loaded from local disk|
|Reported by email@example.com, Jul 13 2010||Back to list|
Jul 15 2010,
Jul 29 2010,
Aug 18 2010,
Sep 15 2010,
Oct 19 2010,
Since we are passed the branch, moving all mstone-8 issues to mstone-9 for triage/punting
Oct 21 2010,
Nov 10 2010,
This bug makes Chrome unusable for the TYPO3 backend. See: http://bugs.typo3.org/view.php?id=15633
Nov 22 2010,
This is not affecting only file urls - I can reproduce today on http://facebook.com/ 1. Visit http://facebook.com/ (not logged in, just show the login screen) 2. Open the Developer Tools 3. Type: document.styleSheets.cssRules Expected result: a CSSRuleList Got instead: null This works fine on other urls, e.g. http://google.com/
Nov 22 2010,
I tried document.styleSheets.cssRules on a bunch of sites, and about half of them failed. I suspect that it's failing for any cross-origin CSS request. Fails: http://facebook.com/ (not logged in) http://yahoo.com/ http://nytimes.com/ http://digg.com/ http://orkut.com/ (not logged in) http://apple.com/ Succeeds: http://google.com/ http://cmu.edu/ http://reddit.com/ http://amazon.com/ http://stanford.edu/ http://android.com/ I'm modifying the summary to change the text "when loading style sheet from local disk" to "when stylesheets loaded from cross-origin or local disk"
Nov 23 2010,
Update: I just learned that styleSheet.cssRules is supposed to respect the same-origin policy, because of the following security issue: http://arstechnica.com/microsoft/news/2010/09/microsoft-investigates-public-ie-css-xss-flaw-twitter-hotmail-vulnerable.ars ...so, the only issue is whether an exception should be made for file:/// urls. Changing subject to say "local disk" again.
Nov 24 2010,
Could it also be allowed for extension content scripts if extension has needed permissions?
Jan 26 2011,
Any chance of progress on this bug? It's six months old and still not triaged. Unfortunately, it is currently breaking an app I'm writing with CEF that relies on local files. In my case, both the html and the css are local files, so the same-origin policy shouldn't apply. I'm forced to instantiate an object that will trigger the rules I'm looking for, then pull out the rules from the DOM, which obliviates the entire reason for having rulesheet access in the first place. Any help bumping this up would be appreciated.
Apr 21 2011,
cross-origin stylesheets are pretty common, as a lot of sites have a special domain for loading static resources (including but not limited to sites that use frameworks loaded from a CDN). This is blocking an app of mine as well. This might actually be a webkit bug, though - I'm seeing some of the same problems in Safari...
May 13 2011,
Jun 9 2011,
This is a bug. If the stylesheet and the HTML are both on local disk, this bug occurs (i.e. you get a null stylesheet from document.styleSheets). This is INCORRECT as both the .html and stylesheet have the SAME origin. The same-origin policy should allow this.
Mar 28 2012,
I have a simple web application I also let users download onto their hard drive. This works fine on FireFox 11 and Safari 5.1.5 On FireFox and Safari executing the following in the console returns 108: document.styleSheets.cssRules.length => 108 While on Chrome it returns an error because the returned cssRules is null: document.styleSheets.cssRules.length => TypeError: Cannot read property 'length' of null --- The site in question is: http://lab.dev.concord.org/ We have a large grant from the google Foundation to develop HTML5-based scientific models, visualizations, graphing, and probeware. You can replicate the problem easily by downloading the generated examples distribution by opening the gh-pages branch and downloading a ZIP archive bly clicking the "ZIP" link in the middle of the top of the page. https://github.com/concord-consortium/lab/tree/gh-pages Expand the archive and open the index.html page. Then click on the "Simple Atoms Model" link. The error I described above will prevent the page from loading properly. You can open this page directly to see how it should work: http://concord-consortium.github.com/lab/examples/simple-atoms-model/simple-atoms-model.html
May 12 2012,
Firefox and Safari work as expected. Why Chrome is so stupid? "Access-Control-Allow-Origin *" is not working too.
May 14 2012,
special flag is required: "-allow-file-access-from-files" (mac os x: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -allow-file-access-from-files)
Feb 14 2013,
Firefox handles this in the following way: https://developer.mozilla.org/en-US/docs/Same-origin_policy_for_file:_URIs Should chromium handle this in the same way, or just make an exception for style-sheets?
Mar 10 2013,
Apr 4 2013,
Apr 6 2013,
Aug 18 2013,
Guys, get your act together as this is blocking local apps from being compatible with Chrome, and even the new Opera builds with the new engine. Horrible..
Oct 11 2013,
Oct 11 2013,
Fact is, they don't consider this to be a bug. This is deliberate to prevent local pages from being used as a security vulnerability. They'll never fix this, unless they change their minds. I think things like web-workers are also being blocked, but am not quite sure. I am going to rebuild my apps around this issue... Sucks but true
Oct 11 2013,
May 9 2015,
May 9 2015,
The styles are applied, but they can not be accessed via cssRules. This is intentional, however you can still manipulate styles by creating a style element and editing it's textContent..
Jul 15 2015,
Mar 8 2016,
Apr 22 2016,
Apr 22 2016,
Due to a quick investigation, https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/css/CSSStyleSheet.cpp&q=CSSStyleSheet::canAccessRules&sq=package:chromium&l=237 CSSStyleSheet::canAccessRules() defines what can access to the property. If we really want to allow the access to the style sheed loaded from file://, this seems the part to work on. But, I'm suspicious, probably we shouldn't allow it. For the general solution, if users specify --allow-file-access-from-files command-line flag to Chromium, you can access to style sheets loaded from file:// from html loaded from file://. Maybe, this issue would be WontFix, but I defer the decision to Blink>CSS owners, just in case that we'd like to allow file-to-file access for stylesheets by default.
Apr 26 2016,
Apr 29 2016,
Jul 6 2016,
This was wontfixed in https://bugs.chromium.org/p/chromium/issues/detail?id=143626#c11
|► Sign in to add a comment|