[cssom] Add some cross-origin security considerations. https://www.w3.org/Bugs/Public/show_bug.cgi?id=22453

Simon Pieters · Simon Pieters · commit b3a8f14a47db · 2013-06-25T16:39:03.000+02:00
diff --git a/cssom/Overview.html b/cssom/Overview.html
@@ -1012,8 +1012,11 @@ <h3 id="css-style-sheet-collections"><span class="secno">6.2 </span>CSS Style Sh
  <li><p>Create a new <a href="#css-style-sheet">CSS style sheet</a> object and set its
  properties as specified.</li>
 
- <li><p>Then run the <a href="#add-a-css-style-sheet">add a CSS style sheet</a> steps for the newly
- created <a href="#css-style-sheet">CSS style sheet</a>.</li>
+ <li>
+  <p>Then run the <a href="#add-a-css-style-sheet">add a CSS style sheet</a> steps for the newly created <a href="#css-style-sheet">CSS style sheet</a>.
+ 
+  <p class="warning">If the <a href="#concept-css-style-sheet-origin-clean-flag" title="concept-css-style-sheet-origin-clean-flag">origin-clean flag</a> is unset, this can expose information from the user's
+  intranet.
 </ol>
 
 <p>To <dfn id="add-a-css-style-sheet">add a CSS style sheet</dfn>, run these
@@ -2753,7 +2756,8 @@ <h3 id="extensions-to-the-window-interface"><span class="secno">7.2 </span>Exten
 <p class="note">Because of historical IDL limitations the <code title="dom-Window-getComputedStyle"><a href="#dom-window-getcomputedstyle">getComputedStyle()</a></code> method used to be on
 a separate interface, <code title="">ViewCSS</code>.</p>
 
-
+<p class="warning">The <code title="dom-Window-getComputedStyle"><a href="#dom-window-getcomputedstyle">getComputedStyle()</a></code> method exposes information from <a href="#css-style-sheet" title="CSS style sheet">CSS style
+sheets</a> with the <a href="#concept-css-style-sheet-origin-clean-flag" title="concept-css-style-sheet-origin-clean-flag">origin-clean flag</a> unset.
 
 <h3 id="the-getstyleutils-interface"><span class="secno">7.3 </span>The <code title="">GetStyleUtils</code> Interface</h3>
 
@@ -2798,6 +2802,9 @@ <h3 id="the-getstyleutils-interface"><span class="secno">7.3 </span>The <code ti
 computed for the <a class="external" data-anolis-spec="dom" href="http://dom.spec.whatwg.org/#context-object">context object</a> using the style rules associated
 with the <a class="external" data-anolis-spec="dom" href="http://dom.spec.whatwg.org/#context-object">context object</a>'s <a href="#associated-document">associated document</a>.</p>
 
+<p class="warning">The <code title="dom-GetStyleUtils-specifiedStyle"><a href="#dom-getstyleutils-specifiedstyle">specifiedStyle</a></code>, <code title="dom-GetStyleUtils-computedStyle"><a href="#dom-getstyleutils-computedstyle">computedStyle</a></code> and
+<code title="dom-GetStyleUtils-usedStyle"><a href="#dom-getstyleutils-usedstyle">usedStyle</a></code> methods expose information from <a href="#css-style-sheet" title="CSS style sheet">CSS style sheets</a> with the
+<a href="#concept-css-style-sheet-origin-clean-flag" title="concept-css-style-sheet-origin-clean-flag">origin-clean flag</a> unset.
 
 
 <h3 id="extensions-to-the-element-interface"><span class="secno">7.4 </span>Extensions to the <code title="">Element</code> Interface</h3>
diff --git a/cssom/Overview.src.html b/cssom/Overview.src.html
@@ -933,8 +933,11 @@ <h3>CSS Style Sheet Collections</h3>
  <li><p>Create a new <span>CSS style sheet</span> object and set its
  properties as specified.</p></li>
 
- <li><p>Then run the <span>add a CSS style sheet</span> steps for the newly
- created <span>CSS style sheet</span>.</p></li>
+ <li>
+  <p>Then run the <span>add a CSS style sheet</span> steps for the newly created <span>CSS style sheet</span>.
+ 
+  <p class=warning>If the <span title=concept-css-style-sheet-origin-clean-flag>origin-clean flag</span> is unset, this can expose information from the user's
+  intranet.
 </ol>
 
 <p>To <dfn>add a CSS style sheet</dfn>, run these
@@ -2674,7 +2677,8 @@ <h3>Extensions to the <code title>Window</code> Interface</h3>
 <p class='note'>Because of historical IDL limitations the <code title=dom-Window-getComputedStyle>getComputedStyle()</code> method used to be on
 a separate interface, <code title>ViewCSS</code>.</p>
 
-
+<p class=warning>The <code title=dom-Window-getComputedStyle>getComputedStyle()</code> method exposes information from <span title="CSS style sheet">CSS style
+sheets</span> with the <span title=concept-css-style-sheet-origin-clean-flag>origin-clean flag</span> unset.
 
 <h3>The <code title>GetStyleUtils</code> Interface</h3>
 
@@ -2719,6 +2723,9 @@ <h3>The <code title>GetStyleUtils</code> Interface</h3>
 computed for the <span data-anolis-spec=dom>context object</span> using the style rules associated
 with the <span data-anolis-spec=dom>context object</span>'s <span>associated document</span>.</p>
 
+<p class=warning>The <code title=dom-GetStyleUtils-specifiedStyle>specifiedStyle</code>, <code title=dom-GetStyleUtils-computedStyle>computedStyle</code> and
+<code title=dom-GetStyleUtils-usedStyle>usedStyle</code> methods expose information from <span title="CSS style sheet">CSS style sheets</span> with the
+<span title=concept-css-style-sheet-origin-clean-flag>origin-clean flag</span> unset.
 
 
 <h3>Extensions to the <code title>Element</code> Interface</h3>
