On Wed, 20 Jul 2011 20:55:51 +0100, Ashley Sheridan
<a...@ashleysheridan.co.uk> wrote:
<div id=widget>
<style scoped>
#widget foo {}
</style>
</div>
While I agree that that might be a common pattern, I disagree that it's
actually a good one. Consider an ad service which wraps everything in a
custom <div> tag. If the scope allowed the immediate parent to be
included as part of the scope, then it could allow the advert to be
altered in a way that could negatively affect the users of the site the
ad appeared on.
The site could wrap the ad in another div to prevent that (and this is
typical when the site wants to create fixed-size ad slot).
The purpose of scope in the style seems to be to protect elements
outside of the included content and to 'contain' the included content
that has the <style scoped> element in it, presumably because it's
coming from an external source. If you allowed the immediate parent as
your example, then it could allow the 3rd parties who created the advert
to take over the element beyond what the advert service would prefer to
be allowed.
For rogue 3rd parties there's <iframe> in seamless and sandboxed flavors.
If author is allowing untrusted and misbehaving code in the DOM, then it's
already game over — the ad can do anything, including creating <style>
without scope and modifying other stylesheets.
Even scoped style could use position:absolute or fixed to modify looks of
something outside the element.
--
regards, Kornel Lesiński