Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Intent to unship: @-moz-document from content pages.

175 views
Skip to first unread message

Emilio Cobos Álvarez

unread,
Nov 29, 2017, 11:53:50 AM11/29/17
to dev-pl...@lists.mozilla.org, fre...@mozilla.com
Hi again,

In bug 1035091 I intend to remove support for the @-moz-document CSS
rule in content pages (more exactly in author stylesheets).

The reasoning for this, apart from it being a non-standard mozilla-only
CSS feature, is that it's a possible security risk in presence of CSS
injection attacks (Freddy, CCd, can give more details about this, there
are also some links on the bug).

Since it's a useful feature for user stylesheets, we're keeping it on those.

Let me know if there's any concern on doing this.

-- Emilio

Xidorn Quan

unread,
Nov 29, 2017, 12:06:05 PM11/29/17
to dev-pl...@lists.mozilla.org
It may be worth checking how some popular extensions nowadays handle
user style in different sites.

If they insert rules containing @-moz-document, they may be broken with
this change, although I wouldn't expect that to happen in
WebExtensions...

- Xidorn

Boris Zbarsky

unread,
Nov 29, 2017, 12:30:27 PM11/29/17
to
On 11/29/17 11:53 AM, Emilio Cobos Álvarez wrote:
> Let me know if there's any concern on doing this.

@-moz-document url-prefix() {
/* rules go here */
}

at least used to be a somewhat common way to have "Firefox-only" rules
on web pages. https://stackoverflow.com/search?q=moz-document shows
~7000 results, for example, most of them about this pattern.

So there are worries about possible compat fallout here...

-Boris

Mike Taylor

unread,
Nov 29, 2017, 12:36:44 PM11/29/17
to Emilio Cobos Álvarez, dev-pl...@lists.mozilla.org, fre...@mozilla.com

> On Nov 29, 2017, at 10:53 AM, Emilio Cobos Álvarez <emi...@crisal.io> wrote:
>
> In bug 1035091 I intend to remove support for the @-moz-document CSS
> rule in content pages (more exactly in author stylesheets).

This is a pretty widely used mechanism to target styles for Gecko. Would it be possible to disable in non-release for a few releases to sniff out any major layout/compat bustage?


--
Mike Taylor
Web Compat, Mozilla


Emilio Cobos Álvarez

unread,
Nov 29, 2017, 12:43:06 PM11/29/17
to dev-pl...@lists.mozilla.org, bzba...@mit.edu
Sure, sounds good.

Another thing we could try to do if plain unshipping fails would be to
just hide the regex matching function, which IIUC would prevent the
security issue too. But hiding it behind a pref on non-release for now
sounds good.

Boris, would you also be fine with that?

-- Emilio

Boris Zbarsky

unread,
Nov 29, 2017, 12:51:49 PM11/29/17
to
On 11/29/17 12:42 PM, Emilio Cobos Álvarez wrote:
> Another thing we could try to do if plain unshipping fails would be to
> just hide the regex matching function, which IIUC would prevent the
> security issue too. But hiding it behind a pref on non-release for now
> sounds good.
>
> Boris, would you also be fine with that?

Yes. We might need to end up continuing to ship support for just the
non-regex thing, or just url-prefix(/* whitespace only */). But we can
start with disabling altogether on nightly+early-beta for the moment.

-Boris

Karl Dubost

unread,
Nov 29, 2017, 8:05:06 PM11/29/17
to Emilio Cobos Álvarez, Boris Zbarsky, dev-pl...@lists.mozilla.org


Le 30 nov. 2017 à 02:42, Emilio Cobos Álvarez <emi...@crisal.io> a écrit :
> On 11/29/2017 06:36 PM, Mike Taylor wrote:
>> This is a pretty widely used mechanism to target styles for Gecko. Would it be possible to disable in non-release for a few releases to sniff out any major layout/compat bustage?
>
> Sure, sounds good.

Just to illustrate mike's comment.
https://github.com/search?l=CSS&q=%22%40-moz-document%22&ref=advsearch&type=Code&utf8=%E2%9C%93


--
Karl Dubost, mozilla 💡 Webcompat
http://www.la-grange.net/karl/moz





Emilio Cobos Álvarez

unread,
Mar 19, 2018, 6:22:00 AM3/19/18
to dev-pl...@lists.mozilla.org, mi...@mozilla.com
On 11/29/17 6:36 PM, Mike Taylor wrote:
>
>> On Nov 29, 2017, at 10:53 AM, Emilio Cobos Álvarez <emi...@crisal.io> wrote:
>>
>> In bug 1035091 I intend to remove support for the @-moz-document CSS
>> rule in content pages (more exactly in author stylesheets).
>
> This is a pretty widely used mechanism to target styles for Gecko. Would it be possible to disable in non-release for a few releases to sniff out any major layout/compat bustage?

Just for completeness, we did find breakage (see dependencies of that
bug). I fixed most of those, and Youtube fixed theirs on their side.

All of it was related to @-moz-document url-prefix(), so even though I'd
still like to eventually get rid of it, for now I've added a pref:

layout.css.moz-document.url-prefix-hack.enabled

which controls whether @-moz-document url-prefix() parses or not.

The intention is that for pre-release builds there's no change (no
@-moz-document in content at all) since we still want to eventually flip
that pref, but for release we'll ship:

layout.css.moz-document.content.enabled = false;
layout.css.moz-document.url-prefix-hack.enabled = true;

That is, pages with @-moz-document url-prefix() { foo } will keep
working, but not other matching function like regex().

Let me know if there's any concern with doing this.

-- Emilio

Emilio Cobos Álvarez

unread,
Mar 19, 2018, 6:26:37 AM3/19/18
to dev-pl...@lists.mozilla.org, mi...@mozilla.com
Oh, missed it, this is tracked in bug 1446470.

>
> -- Emilio
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
0 new messages