Intent to Prototype: CSS object-view-box and object-overflow

[Khushal Sagar]

Contact emails

khusha...@chromium.org, taba...@chromium.org, vmp...@chromium.org

Explainer

https://github.com/w3c/csswg-drafts/issues/7058

Specification

In Progress

Summary

The object-view-box and object-overflow properties allow the content for replaced elements to paint outside its content-box, similar to ink overflow for other elements.

Blink component

Blink>CSS

Motivation

object-view-box and object-overflow allows the author to specify a subset within an image that should draw within the content box of the target replaced element. This enables an author to create an image with a custom glow or shadow applied, with proper ink-overflow behavior like a CSS shadow would have.

The property will also be used to draw ink overflow for snapshots generated for shared element transitions (issue).

Initial public proposal

https://github.com/w3c/csswg-drafts/issues/7058

TAG review

In Progress (Will file one with a draft spec)

TAG review status

In Progress

Risks

Interoperability and Compatibility

Risk is minimal. This is a new feature for which support can be detected by developers. 

Gecko: Positive (see comment here). Will file a request for position with a draft spec (see comment here).

WebKit: No signal

Web developers: No signals

Other signals:

Debuggability

This is debuggable similar to other CSS object-* properties.

Is this feature fully tested by web-platform-tests?

Yes

Flag name

CSSObjectViewBox

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1303102

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5213032857731072

This intent message was generated by Chrome Platform Status.

[Camille Lamy]

Hi!

We looked at this as part of the Security & privacy review process for Web Platform intents, and we were wondering about the feature behavior with regards to iframes. Specifically, we were concerned about the potential for a child frame to draw custom content over its parent using this feature. Is something like this possible as part of the overflow mechanism? If so, we were concerned about the potential for spoofing.

Thanks!

Camille

On Monday, March 7, 2022 at 6:07:28 PM UTC+1 Khushal Sagar wrote:

Contact emails

khusha...@chromium.org, tabatk...@chromium.org, vmpstr@chromium.org

[Tab Atkins]

On Tue, Mar 15, 2022 at 9:11 AM Camille Lamy <cl...@chromium.org> wrote:
> We looked at this as part of the Security & privacy review process for Web Platform intents, and we were wondering about the feature behavior with regards to iframes. Specifically, we were concerned about the potential for a child frame to draw custom content over its parent using this feature. Is something like this possible as part of the overflow mechanism? If so, we were concerned about the potential for spoofing.

Excellent question; the object-* properties were designed with images
in mind rather than iframes. That would indeed be possible with the
spec as currently written; however, it can only be done with the outer
page's blessing - the property needs to be set on the <iframe> element
itself, and can't be adjusted by the embedded page.

I suspect that this is still too dangerous of an ability to expose,
and the right answer is to force iframes to be `object-overflow: clip`
at all times; possibly we should force *all* of the object-*
properties to their initial values for iframes. I've raised this in
the CSSWG <https://github.com/w3c/csswg-drafts/issues/7143>, and will
adjust the spec after the WG discusses this. Thanks so much for the
review!

~TJ