Allow remote custom CSS to adjust section and/or card styles
Categories
(Firefox :: New Tab Page, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | fixed |
People
(Reporter: Mardak, Assigned: Mardak)
References
Details
(Keywords: github-merged)
User Story
1. from tab 1 about:config enable discovery stream `browser.newtabpage.activity-stream.discoverystream.config` with default layout (control) 2. open tab 2 new tab and see content 3. in tab 1, change endpoint to `…&layout_variant=dev-test-styles` 4. tab 2 should update with red text, green text, etc 5. in tab 1, change endpoint back to `…&layout_variant=control` 6. tab 2 should update with no custom colors
Attachments
(4 files)
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 4•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 6•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 7•6 years ago
|
||
heycam and I discussed last week some approaches to sanitize server provided "CSS", and generally leveraging CSSOM allows safer checking of both declarations and selectors rather than reimplementing parsing css with raw css and more reusability than shadow DOM.
Declarations can be checked with something like document.createElement("dummy").style = declarations
where only valid declarations are accepted and selectors, etc. are rejected. Then individual normalized property values can be read out for additional checks, e.g., verify url("…") patterns, ignore certain properties or values.
Selectors can be checked by adding a rule with no declarations, e.g., sheet.insertRule(selectors + "{}")
where insertRule allows only one rule at a time preventing sneaking in declarations with {}/newlines/etc.
To additionally scope server provided selectors, we can prefix a container selector in front of each selector split on "," if the server wants to style multiple descendants with the same declarations. Notably, a simple selectors.split(",")
results in invalid selectors if a selector included commas as a string, e.g., div[attr="a,b"]
, however given our existing usage of attributes (currently class, dir, title), it seems acceptable to limit the expressiveness of selectors using commas in strings.
Compared to raw css, specifically setting style declarations and selectors limits the CSS to style rules (as opposed to import, media, keyframes, etc.) And prefixing a selector limits the concatenated selector to siblings and descendants where notably siblings could also be styled with the functionality here anyway.
Comment 8•6 years ago
|
||
Clearing the need-info, as we've just discussed the details in our meeting.
Ed will work on a CSS sanitizer to ensure all URLs are pointing to our CDN (or are strictly local, pending a decision from Product team).
I'll provide some test cases early on and perform a security test on the sanitizer, once implemented.
Assignee | ||
Comment 9•6 years ago
|
||
nchapman says allowing pocket cdn would be nice, but starting with only chrome/resource if it helps keep things simple.
mathijs says images could be hosted at https://img-getpocket.cdn.mozilla.net
I suppose a simple implementation could check the normalized url() declaration for those 3 url prefixes. This happens to disallow relative urls which should be fine as it could just be written as resource://activity-stream/…
Assignee | ||
Updated•6 years ago
|
Comment 10•6 years ago
|
||
Assignee | ||
Comment 11•6 years ago
|
||
freddyb, here's a try build of https://github.com/mozilla/activity-stream/pull/4674
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a45865f11249653859224fea7fffa9c688943b6a
The PR has a sample pref with a data uri layout JSON that includes styles and an example screenshot.
If you have some selectors and declarations to try out, I can take a screenshot of the result and console.
Comment 12•6 years ago
|
||
Assignee | ||
Comment 13•6 years ago
|
||
For QA testing, changing the json pref config browser.newtabpage.activity-stream.discoverystream.config to be enabled and use layout_variant=dev-test-styles
instead of layout_variant=dev-test-1
should result in something like attached.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Clearing needinfo in favor of spin-off bug 1521479
Assignee | ||
Updated•6 years ago
|
Comment 16•6 years ago
|
||
QA Results:
Tested on :
FF Nightly version : 66.0a1 (2019-01-22)
OS : Mac and Windows 10
Works as expected. New Layout Output in the attachment QA Result : bug - 1513311.png
Looks good to me.
Closing as verified.
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Description
•