New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 650534 link

Starred by 1 user
Status: Duplicate
Merged: issue 775525
Owner: ----
Closed: Oct 2017
Cc:
mkwst@chromium.org
meade@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Compat



Sign in to add a comment

Accessing cross-origin stylesheet data should throw exception instead of failing silently

Reported by quanxunz...@gmail.com, Sep 27 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0

Example URL:

Steps to reproduce the problem:
1. open the attached test page

What is the expected behavior?
It should show something like "SecurityError: ..."

What went wrong?
It doesn't show the error, but show null for cssRules.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? N/A 

Did this work before? No 

Does this work in other browsers? No Edge, Safari

Chrome version: 55.0.2872.0  Channel: canary
OS Version: OS X 10.10
Flash Version: Shockwave Flash 23.0 r0

Throwing a SecurityError when accessing information from cross-origin stylesheet is the behavior required in CSSOM spec. See https://drafts.csswg.org/cssom/#dom-cssstylesheet-cssrules
test.html
387 bytes View Download

Comment 1 by mitay...@mozilla.com, Sep 27 2016

Labels: Hotlist-Interop

Comment 2 by dtapu...@chromium.org, Sep 27 2016

Components: Blink>SecurityFeature

Comment 3 by rbyers@chromium.org, Oct 3 2016

Cc: meade@chromium.org mkwst@chromium.org
Components: Blink>CSS
Eddy / Mike: is this style team or security team?

Comment 4 by mikelawther@chromium.org, Oct 5 2016

Labels: -Pri-2 Pri-3
Status: Available (was: Unconfirmed)
Clicky version of above test: https://jsfiddle.net/fkyrcu3r/2/

Chrome 55 and Safari 9.1.3 do not show the SecurityError. Firefox 48.0.1 does.

I haven't looked at the code, but I suspect either team could fix this one. Eddy - can we put on the Style team backlog?

Comment 5 by meade@chromium.org, Oct 6 2016 

Added it to the agenda. Thanks Mike!

Comment 6 by esprehn@chromium.org, Oct 6 2016 

We should probably use count this first, throwing an exception has the potential to break any content that was null checking here.

Comment 7 by quanxunz...@gmail.com, Nov 27 2016 

Any update here? If you have a use count data which shows it would likely break too many things, we should fix the spec. Otherwise, fixing this bug as soon as possible would prevent more sites from relying on the wrong behavior.

Comment 8 by meade@chromium.org, Dec 1 2016 

It's still on our backlog, sorry. We have a lot more work than we have people!

Comment 9 by bugsnash@chromium.org, Feb 13 2017

Labels: Update-Quarterly

Comment 10 by suzyh@chromium.org, Mar 30 2017

Cc: suzyh@chromium.org
I had a quick look at this to try to add the UseCounter but I'm not confident that I'll get the right code location.

mkwst: Do you have a pointer for where this code change should occur? Alternatively, since the Style team has limited bandwidth, is this issue something the Security team would like to take responsibility for?

Comment 11 by suzyh@chromium.org, Jun 13 2017

Cc: -suzyh@chromium.org

Comment 12 by meade@chromium.org, Oct 31 2017

Mergedinto: 775525
Status: Duplicate (was: Available)

Sign in to add a comment