Closed Bug 1228985 Opened 9 years ago Closed 4 years ago

"Add new rule" is blocked by CSP

Categories

(DevTools :: Inspector: Rules, defect, P2)

defect

Tracking

(firefox42 wontfix, firefox45 wontfix, firefox81 fixed)

RESOLVED FIXED
81 Branch
Tracking Status
firefox42 --- wontfix
firefox45 --- wontfix
firefox81 --- fixed

People

(Reporter: ntim, Assigned: bradwerth)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [btpp-fix-later][dt-q])

Attachments

(2 files)

13:30:09.798 TypeError: sheet is null Stack trace: PageStyleActor<.addNewRule<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/styles.js:981:9 TaskImpl_run@resource://gre/modules/Task.jsm:314:40 TaskImpl@resource://gre/modules/Task.jsm:275:3 createAsyncFunction/asyncFunction@resource://gre/modules/Task.jsm:249:14 actorProto/</handler@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1013:19 DSC_onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1643:15 LocalDebuggerTransport.prototype.send/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:569:11 makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js:87:14 makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/DevToolsUtils.js:87:14 1 protocol.js:907
Doesn't work in 42 or 45, haven't tested on other version, but I'm pretty sure it doesn't work on 43 or 44.
So it looks like one of the stylesheets doesn't exist on the page. :gl, :tromey, any idea why this might be failing ?
Flags: needinfo?(ttromey)
Flags: needinfo?(gl)
This still doesn't work in FF47. It actually comes from a CSP policy on this site (style-src). https://developer.mozilla.org/fr/docs/Web/Security/CSP/CSP_policy_directives#style-src The headers on this page define this CSP and this blocks the creation of inline <style> sheet. However, the "add rule" feature depends on this. I think we've had this problem already in the past and I seem to remember that CSP policies were not supposed to apply to devtools code. But I can't remember the exact bug where this was discussed. I'm tempted to triage this as a P1, but I don't know if we have the bandwidth at the moment to investigate and solve this potentially complex problem, and this has been here for a while and hasn't had really bad consequences from what I can see. I'll try to ping a few people, hopefully I get a lead on how to start fixing this.
Flags: needinfo?(ttromey)
Flags: needinfo?(gl)
Priority: -- → P2
Whiteboard: [btpp-fix-later]
This is similar to bug 1185351 which was about the highlighter. The highlighter sets style attributes on dynamically injected native anonymous content in the page, and this used to be blocked by CSP. Bug 1185351 basically made CSP ignore native anon content. Here, we're not using native anon content, devtools is creating a (normal) <style> DOM node to inject new rules that the user is creating in the inspector. According to https://en.wikipedia.org/wiki/Content_Security_Policy#Browser_add-ons_and_extensions_exemption browser code should be exempt from this. Christoph: how should we proceed here? It looks like a CSP bug.
Flags: needinfo?(ckerschb)
Component: Developer Tools: Inspector → Developer Tools: CSS Rules Inspector
(In reply to Patrick Brosset [:pbro] from comment #4) > Here, we're not using native anon content, devtools is creating a (normal) > <style> DOM node to inject new rules that the user is creating in the > inspector. Right, so applying the same fix as within Bug 1185351 where we just used | IsInNativeAnonymousSubtree() | doesn't apply here. > Christoph: how should we proceed here? It looks like a CSP bug. I don't think it's a CSP bug though, but you are right, we should not apply CSP when adding a rule. Ehsan probably knows how we can exempt such loads from CSP. Ehsan, any ideas? Just for the sake of completeness, here is the CSP error I receive in the console: > Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src http://vosteran.com"). However, I get a slightly different stacktrace, see below: console.error: Error writing response to: addStyleSheet ************************* A coding exception was thrown in a Promise resolution callback. See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.jsm/Promise Full message: TypeError: this.rawSheet is null Full stack: StyleSheetActor<.ownerNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:441:5 StyleSheetActor<.form@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:581:1 types.addActorType/type<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:294:44 RetVal<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:529:12 Response<.write/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:682:16 Response<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:680:23 actorProto/</handler/sendReturn@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1023:24 Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:937:23 this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:816:7 Promise*this.PromiseWalker.scheduleWalkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11 this.PromiseWalker.schedulePromise@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:779:7 Promise.prototype.then@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:454:5 actorProto/</handler/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1043:18 Actor<._queueResponse@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:920:20 actorProto/</handler@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1042:9 DSC_onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1643:15 LocalDebuggerTransport.prototype.send/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:569:11 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 ************************* console.error: Message: TypeError: this.rawSheet is null Stack: StyleSheetActor<.ownerNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:441:5 StyleSheetActor<.form@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:581:1 types.addActorType/type<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:294:44 RetVal<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:529:12 Response<.write/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:682:16 Response<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:680:23 actorProto/</handler/sendReturn@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1023:24 Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:937:23 this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:816:7 Promise*this.PromiseWalker.scheduleWalkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11 this.PromiseWalker.schedulePromise@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:779:7 Promise.prototype.then@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:454:5 actorProto/</handler/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1043:18 Actor<._queueResponse@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:920:20 actorProto/</handler@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1042:9 DSC_onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1643:15 LocalDebuggerTransport.prototype.send/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:569:11 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 StyleSheetActor<.ownerNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:441:5 StyleSheetActor<.form@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/stylesheets.js:581:1 types.addActorType/type<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:294:44 RetVal<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:529:12 Response<.write/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:682:16 Response<.write@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:680:23 actorProto/</handler/sendReturn@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1023:24 Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:937:23 this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:816:7 Promise*this.PromiseWalker.scheduleWalkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11 this.PromiseWalker.schedulePromise@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:779:7 Promise.prototype.then@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:454:5 actorProto/</handler/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1043:18 Actor<._queueResponse@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:920:20 actorProto/</handler@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/protocol.js:1042:9 DSC_onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1643:15 LocalDebuggerTransport.prototype.send/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:569:11 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14
Flags: needinfo?(ckerschb) → needinfo?(ehsan)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #5) > > Christoph: how should we proceed here? It looks like a CSP bug. > > I don't think it's a CSP bug though, but you are right, we should not apply > CSP when adding a rule. Ehsan probably knows how we can exempt such loads > from CSP. Ehsan, any ideas? Comment 0 contains 0 information about what this bug is about, and how the stacktrace there (or the ones in comment 5) are captured. Unfortunately I don't understand this bug at all, so I can't really answer this question in any useful way. Can you please express the question in a self-contained paragraph? :)
Flags: needinfo?(ehsan) → needinfo?(ckerschb)
Ehsan, sorry for the lack of precision, here are some STR: - Go to http://vosteran.com - Open inspector - Click the '+' icon next to 'Filter Styles' See how nothing happens (no rule is created). The stack trace can be captured simply by opening the Browser Toolbox.
(In reply to Tim Nguyen [:ntim] from comment #7) > Ehsan, sorry for the lack of precision, here are some STR: > - Go to http://vosteran.com > - Open inspector > - Click the '+' icon next to 'Filter Styles' > > See how nothing happens (no rule is created). The stack trace can be > captured simply by opening the Browser Toolbox. Thanks Tim for the STR. Ehsan, basically the problem is that the site's CSP applies to devtools code, but devtools code should be exempt from the site's CSP. We had a similar problem within Bug 1185351, where using |IsInNativeAnonymousSubtree()| fixed the problem and the site's CSP did not apply to devtools code anymore. The problem here is slightly different though, because we are not using native anon code. Devtools code is rather creating a regular <style> DOM Node which allows injecting new user rules created through the inspector. I added a stacktrace within Comment 5 (see also original stacktrace in Comment 0). Any idea how we can exempt such DOM Node creations from being blocked by CSP?
Flags: needinfo?(ckerschb) → needinfo?(ehsan)
As far as I know, there is no real difference between a style element added by devtools code versus one added by the web page itself, so as things stand, there is no way to differentiate on the source of the style element, and therefore it's impossible to make it not be subject to the site's CSP. The case of a node in a native anonymous subtree is different since native anonymous subtrees are not exposed to the web page script, so there's no way for such an element to come from the web page. It seems like in this case, devtools needs to do something different. Injecting nodes into the DOM is not really OK since those nodes will be visible to the web page script, they can change the meaning of CSS selectors, etc.
Flags: needinfo?(ehsan)
Worth noting: clicking on the "new" button in the style-editor to create a new stylesheet also fails on this site for the same reason. Here are the interesting parts of the errors displayed in the console when this happens: > Error writing response to: addStyleSheet protocol.js:1025 > > Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src http://vosteran.com")./:1 > > Full Message: Protocol error (unknownError): this.rawSheet is null The style-editor tries to create an inline stylesheet in the page just like when using the "Add rule" button in the inspector. Interestingly, this works fine in Chrome even if they also insert a <style> element in the DOM. As Ehsan said, we either need a way to differentiate DOM elements/attributes added/modified by devtools so we can avoid them being subject to the site's CSP, or find another way to inject stylesheets. The only other way I can think of now is attaching an author stylesheet using the sdk: https://developer.mozilla.org/en-US/Add-ons/SDK/Low-Level_APIs/stylesheet_style Something like this: let {Style} = require("sdk/stylesheet/style"); let {attach} = require("sdk/content/mod"); let style = Style({ source: "body{background:blue;}", type: "author" }); attach(style, win); This works even with the site's CSP. The "author" type makes it show nicely in the rule-view, however the new sheet doesn't appear in the style-editor somehow. Also, the SDK Style constructor doesn't seem to return an object we can later use to modify the sheet, so we'd have to detach and re-attach a new sheet every time a property is modified/added/deleted.
Yeah, doing something along those lines is a good idea. I'm not sure how the add-on SDK stylesheet API works but the presshell supports a number of APIs for loading various types of stylesheets without injecting style nodes into the DOM: <https://dxr.mozilla.org/mozilla-central/source/layout/base/nsPresShell.h#582> Some of these (IIRC the agent stylesheets for example) are exposed from nsIPresShell, and we can expose more of them if needed.
No longer blocks: top-inspector-bugs
Product: Firefox → DevTools
Blocks: devtools-csp
Summary: "Add new rule" doesn't work on http://vosteran.com/ → "Add new rule" is blocked by CSP
The fix here will likely be similar to the fix for Bug 1391994.
Assignee: nobody → bwerth
Whiteboard: [btpp-fix-later] → [btpp-fix-later][dt-q]

Also see bug 1455663.

I asked Christoph Kerschbaumer [:ckerschb] (based in Austria) what we should do.

He said "If needed we can definitely find a fix for the specific problem reported in this bug. Overall, we are going to move the CSP from the Principal into the Client (within the loadinfo) over in Bug 965637. I am confident that the changes within Bug 965637 provide a broader solution to all the Devtools related problems with CSP we are facing."

Assignee: bwerth → nobody
Depends on: 965637

(In reply to Patrick Brosset <:pbro> from comment #10)

As Ehsan said, we either need a way to differentiate DOM elements/attributes
added/modified by devtools so we can avoid them being subject to the site's
CSP, or find another way to inject stylesheets.

The only other way I can think of now is attaching an author stylesheet
using the sdk:
https://developer.mozilla.org/en-US/Add-ons/SDK/Low-Level_APIs/
stylesheet_style
Something like this:

let {Style} = require("sdk/stylesheet/style");
let {attach} = require("sdk/content/mod");
let style = Style({
source: "body{background:blue;}",
type: "author"
});
attach(style, win);

This works even with the site's CSP. The "author" type makes it show nicely
in the rule-view, however the new sheet doesn't appear in the style-editor
somehow. Also, the SDK Style constructor doesn't seem to return an object we
can later use to modify the sheet, so we'd have to detach and re-attach a
new sheet every time a property is modified/added/deleted.

Injecting author stylesheets through the SDK would also be blocked. User stylesheets would work but this would be very confusing to users as the specificity of user sheets is completely different from that of author stylesheets.

Beyond that we still need to be able to inject scripts e.g. for the console to work.

@ckerschb you said that "If needed we can definitely find a fix for the specific problem reported in this bug. Overall, we are going to move the CSP from the Principal into the Client (within the loadinfo) over in Bug 965637. I am confident that the changes within Bug 965637 provide a broader solution to all the Devtools related problems with CSP we are facing."
@ckerschb In Chrome the DevTools are completely immune to CSP so this is an issue keeping an increasingly large number of users using Chrome.
@ckerschb We have a bunch of issues here.
@ckerschb Can you see a way forward for us? This really needs dealing with because it is giving Chrome a huge advantage when it comes to Developer Tools.

Flags: needinfo?(ckerschb)

@hkirschner Just needinfoing you so you can see comment 15.

Chrome DevTools are immune to CSP so this issue is giving them a competitive advantage.

Flags: needinfo?(hkirschner)

Bug 965637 has been on my radar for a while and I was hoping that these kind of issues will quickly be addressed given the improved foundation.

CSP issues are not just affecting devtools and but also devtools extensions (bug 1267027). The impact on web compat caused by developers being enable to use the tools, can be severe. CSP-protected pages are presumably often in the productivity/finance/social/enterprise categories and critical for users to work well.

Flags: needinfo?(hkirschner)

(In reply to Mike Ratcliffe [:miker] [:mratcliffe] [:mikeratcliffe] from comment #15)

@ckerschb Can you see a way forward for us? This really needs dealing with because it is giving Chrome a huge advantage when it comes to Developer Tools.

I totally agree that we need a generic solution for the problem moving forward because having Devtools blocked by CSP really shouldn't happen. It seems Bug 1391994 is very similar to this one. Let me dig into the problem a little to get a better overview of what we can do. Keeping my ni? for now.

New STR to test this again:

  • open https://crates.io/crates/goblin
  • open the inspector panel in DevTools
  • in the Rules panel where the CSS is displayed, click the + icon in the toolbar to try to add a new rule.

Expected: a new <style> stylesheet appears in the DOM and the new rule (pre-filled with some default selector) appears in the Rules panel ready for you to edit
Actual: the new <style> node appears, but nothing else happens. The following error is displayed in the browser console:

Error while calling actor 'pagestyle's method 'addNewRule' sheet is null Actor.js:91:13
    writeError resource://devtools/shared/protocol/Actor.js:91
    handler resource://devtools/shared/protocol/Actor.js:187
addNewRule@resource://devtools/server/actors/styles.js:1045:22
handler@resource://devtools/shared/protocol/Actor.js:154:37
onPacket@resource://devtools/server/main.js:1402:58
receiveMessage@resource://devtools/shared/transport/child-transport.js:66:16
Actor.js:96:15
    writeError resource://devtools/shared/protocol/Actor.js:96
    handler resource://devtools/shared/protocol/Actor.js:187

So if I understand correctly, the issue is that "add new rules" creates a <style> element and injects it into the DOM, and CSP that does not include style-src 'unsafe-inline' blocks that.

What we could try to do instead is create a sheet directly and add it to the document. There are Document APIs for doing that for sheets with URIs, declared at https://searchfox.org/mozilla-central/rev/a777ff11b6d700a698c61e5bd17e73b044304494/dom/base/Document.h#2001-2005 and exposed to script via https://searchfox.org/mozilla-central/rev/a777ff11b6d700a698c61e5bd17e73b044304494/dom/interfaces/base/nsIDOMWindowUtils.idl#1623-1658 but those are not a perfect fit: we'd need to synthesize a data: URI or something like that (and ensure that CSP does not block it).

Another option would be to allow adding/removing sheets by just object identity (we have addition already on Document; we'd need to add removal and JS-visible entry points for both) and add a way to create those sheets from a string; the constructible stylesheets proposal might be relevant here. Though we still need to think about how those should interact with CSP...

Emilio, do you have any thoughts when you get back?

Flags: needinfo?(emilio)

Clearing my ni? here after the meeting discussion yesterday.

Flags: needinfo?(ckerschb)

(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #20)

What we could try to do instead is create a sheet directly and add it to the document. There are Document APIs for doing that for sheets with URIs, declared at https://searchfox.org/mozilla-central/rev/a777ff11b6d700a698c61e5bd17e73b044304494/dom/base/Document.h#2001-2005 and exposed to script via https://searchfox.org/mozilla-central/rev/a777ff11b6d700a698c61e5bd17e73b044304494/dom/interfaces/base/nsIDOMWindowUtils.idl#1623-1658 but those are not a perfect fit: we'd need to synthesize a data: URI or something like that (and ensure that CSP does not block it).

Another option would be to allow adding/removing sheets by just object identity (we have addition already on Document; we'd need to add removal and JS-visible entry points for both) and add a way to create those sheets from a string; the constructible stylesheets proposal might be relevant here. Though we still need to think about how those should interact with CSP...

IIUC addons right now do the PreloadedStyleSheet dance, minting a data: URI: https://searchfox.org/mozilla-central/rev/a777ff11b6d700a698c61e5bd17e73b044304494/toolkit/components/extensions/ExtensionContent.jsm#268. It'd be great if we used the same thing for both.

Your summary is pretty good. With constructable stylesheets we could do this without much problem, I guess. It's somewhere in the backlog, modulo pending spec issues to be discussed at TPAC.

What do addons do to not get injected <script>s blocked by CSP? Can we do something like that for <style> elements?

Flags: needinfo?(emilio)

What do addons do to not get injected <script>s blocked by CSP? Can we do something like that for <style> elements?

For scripts with src, when we set the src attribute we capture the principal that's doing the set and end up using that principal for the CSP checks.

For inline scripts injected by addons, I expect those would get blocked.

Assignee: nobody → bwerth
Attached file csp_style_src_none.html (deleted) —

Simplified test case with these Steps to Reproduce:

  1. Open devtools Inspector and select any DOM element.
  2. In the Rules sub-panel, click the "+" button to add a new rule.

Expected Results:

A new, blank rule is added with a selector matching the DOM element.

Actual Results:

Nothing happens. Browser Console shows this error:

Error while calling actor 'pagestyle's method 'addNewRule' can't access property "cssRules", sheet is null

I'm realizing we can fix this by adding a createElementDevtoolsNS method in Element.webidl, similar to how Bug 1391994 was implemented. I don't know if a constructible stylesheet approach would allow us to do this without adding any new API. For now, I'll build a patch that does it this way (using special principal to inject a DOM style element, which is then parsed) and continue to investigate the constructible stylesheet approach.

(In reply to Brad Werth [:bradwerth] from comment #26)

I'm realizing we can fix this by adding a createElementDevtoolsNS method in Element.webidl, similar to how Bug 1391994 was implemented. I don't know if a constructible stylesheet approach would allow us to do this without adding any new API. For now, I'll build a patch that does it this way (using special principal to inject a DOM style element, which is then parsed) and continue to investigate the constructible stylesheet approach.

I was wrong. createElement is in Document.webidl, and always uses the Document principal to create the new element. There's not an obvious way to impose an alternative principal into the process. Still looking...

D77557 fixes the bug, but is a bit clumsy. I'll still look for a solution that uses constructible stylesheets which ideally won't require a new API to solve this issue.

Pushed by bwerth@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7889687e6dbf Part 1: Extend HTMLStyleElement to allow devtools to become the triggering principal. r=ckerschb,emilio
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Regressed by: 1798848
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: