[whatwg] Selectors within <style scoped>

simon.madine at nokia.com simon.madine at nokia.com
Fri Jul 22 00:30:39 PDT 2011 

I've been working with a JS polyfill to enable scoped styles optionally including or excluding the direct parent element and, from a CSS writing point-of-view, it feels more natural to be able to affect the parent. The scoped block essentially has influence over the elements it can directly 'see' - parent and siblings.

Either way, there's going to be a neutral container element so it comes down to whether that would be better provided by the author of the page or the author of the included block. 

Simon



________________________________________
From: whatwg-bounces at lists.whatwg.org [whatwg-bounces at lists.whatwg.org] on behalf of ext Kornel Lesiński [kornel at geekhood.net]
Sent: 20 July 2011 22:37
To: ash at ashleysheridan.co.uk
Cc: whatwg
Subject: Re: [whatwg] Selectors within <style scoped>

On Wed, 20 Jul 2011 20:55:51 +0100, Ashley Sheridan
<ash at ashleysheridan.co.uk> wrote:

>> <div id=widget>
>>    <style scoped>
>>      #widget foo {}
>>    </style>
>> </div>
>
> While I agree that that might be a common pattern, I disagree that it's
> actually a good one. Consider an ad service which wraps everything in a
> custom <div> tag. If the scope allowed the immediate parent to be
> included as part of the scope, then it could allow the advert to be
> altered in a way that could negatively affect the users of the site the
> ad appeared on.

The site could wrap the ad in another div to prevent that (and this is
typical when the site wants to create fixed-size ad slot).

> The purpose of scope in the style seems to be to protect elements
> outside of the included content and to 'contain' the included content
> that has the <style scoped> element in it, presumably because it's
> coming from an external source. If you allowed the immediate parent as
> your example, then it could allow the 3rd parties who created the advert
> to take over the element beyond what the advert service would prefer to
> be allowed.

For rogue 3rd parties there's <iframe> in seamless and sandboxed flavors.

If author is allowing untrusted and misbehaving code in the DOM, then it's
already game over — the ad can do anything, including creating <style>
without scope and modifying other stylesheets.

Even scoped style could use position:absolute or fixed to modify looks of
something outside the element.

--
regards, Kornel Lesiński

More information about the whatwg mailing list