Re: Intent to unship: :-moz-system-metric pseudo-class and media queries in content pages.

Sat, 02 Sep 2017 03:06:08 -0700 

On 01/09/2017 20:06, Emilio Cobos Álvarez wrote:

Hi dev-platform@,

I'd like to unship access to the :-moz-system-metric pseudo-class, and
the system metric media queries, from content pages. I just filed
<https://bugzilla.mozilla.org/show_bug.cgi?id=1396066> for that.

They're not in any spec, and they seem unused (I can't find anything
non-mozilla-related in Github code search). Furthermore they expose
system information, which can be a fingerprinting vector, and pretty
random stuff like "is a color picker available?".


Can you elaborate on what you mean by "content pages" in this context?

I'm asking because I think the following things are true:
- Firefox UI is increasingly using in-content pages (ie content that loads in browser tabs) to "do stuff". This applies to network error pages, the preferences, the add-on manager, but also things you might spend less time thinking about like the "new tab" page. - From a security hardening perspective, we would like to avoid those pages having system principal as much as possible (ie ideally they are unprivileged, 'even' if they're using an about: URI) - Those pages quite regularly need to use OS-specific styling, and especially on Windows we sometimes do different things depending on whether the user is using a high contrast theme (which isn't something we currently expose to web content outside of the media queries etc.) - Even besides the browser pages that are using these, there are bindings we load on "normal" content pages (especially our default controls for <video> and <audio>) that have styling that expects these media queries to work.
I remember that when we started doing some of this restricting for other parts of our CSS/Layout implementation, there were some issues with how we determine what counts as "content" and what counts as "chrome". How will that be done here, and will the usecases above continue to work? 

~ Gijs
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to