On Thursday, October 17, 2019 at 12:47:27 PM UTC-7, Mats Palmgren wrote: > On 10/17/19 8:12 PM, ikilpatr...@chromium.org wrote: > > On Thursday, October 17, 2019 at 11:06:48 AM UTC-7, Mats Palmgren > > wrote: > >> As far as I know, we never constrain new CSS features to secure > >> contexts. At least not on the property/value level. > > > > According to > > https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/ > > you should be? > > > > "Effective immediately, all new features that are web-exposed are to be > > restricted to secure contexts. Web-exposed means that the feature is > > observable from a web page or server, whether through JavaScript, CSS, > > HTTP, media formats, etc." > > True, but we have never applied that policy for CSS features > as far as I know. Just recently we've added 'column-span', > the ::marker pseudo, new 'display' syntax with values like > 'inline list-item', 'block ruby' etc, 'clip-path: path()', > and a long list of other CSS features since 2018.
These features (broadly speaking) are different however. According to the above policy: "Exceptions to requiring secure contexts" " - other browsers already ship the feature insecurely" Most (all?) of the non-trivial features above have shipped in other browsers insecurely before shipping in Firefox, hence the above exception applies. "subgrid" is different as Firefox is shipping this feature first. > As far as I know we don't even have a mechanism that I could > have used to restrict subgrid to secure contexts. And to be > clear: I have no intention of blocking subgrid on waiting for > such a mechanism. This should just involve passing a isSecureContext flag into the your CSS parser? > > > Or does the policy wrong and needs to be updated? > > Maybe, but that's not for me to decide. > > The issue you raise is a good one, but it's not really related > to subgrid specifically. Perhaps it would be better if you > start a new thread regarding how that policy applies (or not) > to CSS features in general? See above - I believe it actually is only related to this feature, as it is shipping in Firefox first. Given this shouldn't a "...Mozilla’s Distinguished Engineers to judge the outcome..."? > > /Mats _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
