On Thursday, October 17, 2019 at 3:15:49 PM UTC-7, Sean Voisen wrote:
> On Thu, Oct 17, 2019 at 1:05 PM <ikilpatr...@chromium.org> wrote:
> >
> > These features (broadly speaking) are different however. According to the
> > above policy:
> > "Exceptions to requiring secure contexts"
> > " - other browsers already ship the feature insecurely"
> >
> > Most (all?) of the non-trivial features above have shipped in other
> > browsers insecurely before shipping in Firefox, hence the above exception
> > applies.
> >
> But it also says: "In contrast, a new CSS color keyword would likely not be
> restricted to secure contexts." Given that this is a new value for
> grid-template-*, and not a new CSS property, I'd argue it doesn't apply.

I'd argue that the color example is a "trivial" feature, unlike subgrid. But 
the original framer of the policy would have a better understanding of what 
that meant.

FWIW most new CSS features are placed behind values/etc, so I don't believe 
that is the distinction in the policy.
> > "subgrid" is different as Firefox is shipping this feature first.
> >
> I believe we were also first to ship the support for multiple display
> values, but again those are values. And I think we're the first on
> ::marker. These were not restricted.

Again "multiple dipslay values" are probably in the "trivial" feature bucket 
(if that exists).

::marker (which seems like it was only shipped recently) probably should have 
been restricted to secure contexts by this policy?

> > > As far as I know we don't even have a mechanism that I could
> > > have used to restrict subgrid to secure contexts.  And to be
> > > clear: I have no intention of blocking subgrid on waiting for
> > > such a mechanism.
> >
> > This should just involve passing a isSecureContext flag into the your CSS
> > parser?
> >
> There's also the consideration as to whether allowing grid in non-secure
> contexts, but NOT subgrid, even makes sense. I think it would oddly
> fracture support for grid layouts as a whole (or at least potentially make
> things confusing for developers — it's certainly more confusing than just
> restricting access to a single property like backdrop-filter or something).
> Perhaps we should ask what the value of restricting only subgrid to secure
> contexts even brings. If part of the spirit of the policy (at least the
> part that applies here) is to quicken adoption of secure contexts, is the
> value of subgrid's contribution to this endeavor worth the trade-off of
> potential user confusion?

For almost any CSS feature you could make a similar argument I believe.

I think one interesting part here is that (from my knowledge) this policy 
actually hasn't been applied yet, due to the "other browsers shipping 
insecurely" exception.
But all good questions!

> > Given this shouldn't a "...Mozilla’s Distinguished Engineers to judge the
> > outcome..."?
> >
> It's an interesting test of the policy. Thanks for bringing it up :)

No problem!

I trust the Mozilla community will decide on a reasonable outcome, and update 
the policy if necessary.
dev-platform mailing list

Reply via email to