You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: css-cascade-3/Overview.bs
+17-1
Original file line number
Diff line number
Diff line change
@@ -982,4 +982,20 @@ Additions to Level 2</h3>
982
982
<h2 class="no-num" id="priv-sec">
983
983
Privacy and Security Considerations</h2>
984
984
985
-
Issue: Something about ''@import'', since it's linking to other documents?
985
+
* The cascade process does not distinguish between same-origin and cross-origin stylesheets,
986
+
enabling the content of cross-origin stylesheets to be inferred
987
+
from the computed styles they apply to a document.
988
+
989
+
* User preferences and UA defaults expressed via application of style rules
990
+
are exposed by the cascade process,
991
+
and can be inferred from the computed styles they apply to a document.
992
+
993
+
* The ''@import'' rule does not apply the [=CORS protocol=] to loading cross-origin stylesheets,
994
+
instead allowing them to be freely imported and applied.
995
+
996
+
* The ''@import'' rule assumes that resources without <a href="https://html.spec.whatwg.org/multipage/infrastructure.html#content-type"><code>Content-Type</code> metadata</a>
997
+
(or any same-origin file if the host document is in quirks mode)
998
+
are <code>text/css</code>,
999
+
potentially allowing arbitrary files to be imported into the page
1000
+
and interpreted as CSS,
1001
+
potentially allowing sensitive data to be inferred from the computed styles they apply to a document.
Copy file name to clipboardExpand all lines: css-cascade-4/Overview.bs
+17-1
Original file line number
Diff line number
Diff line change
@@ -1073,4 +1073,20 @@ Additions to Level 2</h3>
1073
1073
<h2 id=priv-sec>
1074
1074
Privacy and Security Considerations</h2>
1075
1075
1076
-
Issue: Something about ''@import'', since it's linking to other documents?
1076
+
* The cascade process does not distinguish between same-origin and cross-origin stylesheets,
1077
+
enabling the content of cross-origin stylesheets to be inferred
1078
+
from the computed styles they apply to a document.
1079
+
1080
+
* User preferences and UA defaults expressed via application of style rules
1081
+
are exposed by the cascade process,
1082
+
and can be inferred from the computed styles they apply to a document.
1083
+
1084
+
* The ''@import'' rule does not apply the [=CORS protocol=] to loading cross-origin stylesheets,
1085
+
instead allowing them to be freely imported and applied.
1086
+
1087
+
* The ''@import'' rule assumes that resources without <a href="https://html.spec.whatwg.org/multipage/infrastructure.html#content-type"><code>Content-Type</code> metadata</a>
1088
+
(or any same-origin file if the host document is in quirks mode)
1089
+
are <code>text/css</code>,
1090
+
potentially allowing arbitrary files to be imported into the page
1091
+
and interpreted as CSS,
1092
+
potentially allowing sensitive data to be inferred from the computed styles they apply to a document.
0 commit comments