[cssom-view] HTMLElement.prototype.offsetParent leaks a node inside a shadow tree #159
Comments
|
I support @rniwa's answer - walking up until you find a valid (non-leaky) This will still leave us with cases where an element is in a shadow tree and the only possible offset parents are outside the shadow. That leaks in the opposite way - info leaking into the shadow. Is that ok? I know this happens with CSS inheritance and such, but I dunno how strict we are about element refs leaking in. |
|
I think it's okay for shadow tree to access to elements outside the shadow tree since that's already possible via |
|
In that case, 👍 to the idea. |
|
Okay. We can fix this by using "unclosed node" (https://dom.spec.whatwg.org/#concept-unclosed-node) https://drafts.csswg.org/cssom-view/#dom-htmlelement-offsetparent
A quick fix can be:
Let me send a PR. |
|
Now with the fix merged, what Considering the following code, what would be in the log output? Is it still possible for the node C to discover that it is inside a fixed container? var A = document.createElement('node-a');
document.body.appendChild(A);
var shadowRoot = A.attachShadow({mode: 'closed'});
var B = document.createElement('node-b');
shadowRoot.appendChild(B);
B.style.position = 'fixed';
var slot = document.createElement('slot');
B.appendChild(slot);
var C = document.createElement('node-c');
A.appendChild(C);
console.log(C.offsetParent.localName); |
|
Node C's |
|
@rniwa then it looks like it's now completely impossible to discover for the node C that it's inside a fixed container. We have a component that should behave differently inside a fixed container. So we use a fixed container detection. Previously, it was safe to walk through Aside from that, |
|
No, |
|
@rniwa node B’s containing block is the viewport, since it is fixed. I assume, that in case when the node’s containing block is the viewport, Anyways, it doesn't really matter for this case if |
|
I feel like the proper solution would be to disallow shadow containing blocks, excluding them from containing block chains. So that when a shadow node has non-static position, it does not affect the positioning of the absolute descendants outside shadow. This should make |
|
@platosha
Ancestor in this context should be interpreted as an ancestor in a flat tree. https://drafts.csswg.org/css-scoping/#flattening Ancestor chain in this case is: (slot), (B) (its position is fixed, but it is not unclosed) or (A) should be skipped because it does not meet the condition. |
It sounds that users of a closed shadow tree should be aware of this limitation. |
|
If a user agent naively implements the new behavior, it would just recursively apply the original offsetParent like: and C's But if a user agent implements "the nearest ancestor unclosed node", as @hayatoito #159 (comment), So in this case, returning BTW, I don't understand @platosha 's comment:
What do "blocks" / "block chains" mean here? If this is implemented, what the A/B/C example above will be styled/rendered, and what is the expected |
|
Hmm, I may be wrong. In the CSSOM spec, "ancestor" does not mean DOM tree's ancestor, but box-tree based one. So it will return null even if the spec is unchanged? |
|
I think the spec tries to operate on the DOM tree here. I'm not entirely sure if that matches what is implemented though. |
|
We should clarify that it operates on a flat tree (or layout block tree based on a flat tree?). See https://drafts.csswg.org/css-scoping/#flattening I thought that unless otherwise mentioned, it is based on a flat tree. However, explicit might be better than implicit here. |
|
During the code review conversation with @hayatoito, I'll send a PR shortly for changing the spec. |
|
Yeah. @platosha I am sorry. I did not understand the problem deeply. |
emilio
changed the title
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 gecko-commit: e0a5cb126f2f084e5f7f3d5f0be0222a7fd67479 gecko-integration-branch: autoland gecko-reviewers: smaug
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 --HG-- extra : moz-landing-system : lando
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 gecko-commit: e0a5cb126f2f084e5f7f3d5f0be0222a7fd67479 gecko-integration-branch: autoland gecko-reviewers: smaug
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 UltraBlame original commit: e0a5cb126f2f084e5f7f3d5f0be0222a7fd67479
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 UltraBlame original commit: e0a5cb126f2f084e5f7f3d5f0be0222a7fd67479
Per w3c/csswg-drafts#159. The test is imported from WebKit, who has already implemented this, with a few fixes to avoid duplicate test names and non-undefined return values from add_cleanup. See the diff attached to the bug. Differential Revision: https://phabricator.services.mozilla.com/D15938 UltraBlame original commit: e0a5cb126f2f084e5f7f3d5f0be0222a7fd67479
|
Hm... looks like Blink still hasn't implemented this behavior? @rakina, @tkent-google: Can someone from Blink side follow up on this? We're getting bug reports like https://bugs.webkit.org/show_bug.cgi?id=204195 |
|
@rniwa I contacted the current owner of Shadow DOM in Chromium project about this issue. Here is a tracking issue: https://bugs.chromium.org/p/chromium/issues/detail?id=920069 |
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2775208 Reviewed-by: Mason Freed <[email protected]> Reviewed-by: vmpstr <[email protected]> Reviewed-by: Ian Kilpatrick <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/master@{#872658}
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2775208 Reviewed-by: Mason Freed <[email protected]> Reviewed-by: vmpstr <[email protected]> Reviewed-by: Ian Kilpatrick <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/master@{#872658}
…rees, a=testonly Automatic update from web-platform-tests Update offsetParent behavior in shadow trees New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2775208 Reviewed-by: Mason Freed <[email protected]> Reviewed-by: vmpstr <[email protected]> Reviewed-by: Ian Kilpatrick <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/master@{#872658} -- wpt-commits: 8d8b8c4e2e42d07398fd5e98b541ee239e1d35a4 wpt-pr: 28201
The spec for offsetParent was changed here: w3c/csswg-drafts#159 This change was implemented in Safari and Firefox, but hasn't been implemented in Chrome, until now: https://chromium-review.googlesource.com/c/chromium/src/+/2775208 When I made this change in chrome, it broke some chrome:// internal pages which use paper-tooltip: https://bugs.chromium.org/p/chromium/issues/detail?id=1200750 https://bugs.chromium.org/p/chromium/issues/detail?id=1202105 This patch fixes paper-tooltip to use the new offsetParent behavior by adding a polyfill for the old offsetParent behavior. The issues reported in the above bugs would also occur in Firefox and Safari, but nobody ever found out because those chrome:// pages were obviously never tested in Firefox or Safari.
New behavior for offsetParent in shadow trees was discussed in [1] and [2]. This lead to a chromium patch [3] which changed the behavior. After [3] landed, the desired behavior in the discussions in [1] and [2] seemed to have changed. Unfortunately, the author of [3] was no longer working on chromium. This new behavior was then added to the spec and landed in webkit [4] and firefox [5], and a WPT was added for it [6]. This patch implements the new behavior to follow suit with webkit and firefox based on the WPT in [6]. Unfortunately, there are several tests which are either internal to chromium or are only passing in chromium which appear to oppose this new behavior and will have to be updated or removed: - external/wpt/css/css-contain/content-visibility/content-visibility-035.html - external/wpt/css/css-contain/content-visibility/content-visibility-044.html - fast/dom/shadow/offset-parent-does-not-leak-ua-shadow.html - shadow-dom/offsetParent.html For shadow-dom/offsetParent.html, I verified that firefox and safari both currently fail the same tests which this patch does. [1] WICG/webcomponents#497 [2] w3c/csswg-drafts#159 [3] https://chromium.googlesource.com/chromium/src/+/18d455ee833f6a30dcbe2755380861eb75cd9f6f [4] https://trac.webkit.org/changeset/239313/webkit [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1514074 [6] https://wpt.fyi/results/shadow-dom/offsetParent-across-shadow-boundaries.html Fixed: 920069 Change-Id: I168edc5ad0e4fcb92d0c4a440623f2424b14a988 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2775208 Reviewed-by: Mason Freed <[email protected]> Reviewed-by: vmpstr <[email protected]> Reviewed-by: Ian Kilpatrick <[email protected]> Commit-Queue: Joey Arhar <[email protected]> Cr-Commit-Position: refs/heads/master@{#872658} GitOrigin-RevId: a48d953625d82035201c12d8e92ad0f39bf85258
**Related Issue:** #6300 ## Summary This addresses positioning issues in Chrome 109+. Version 109 updated offsetParent behavior to follow the latest spec changes from w3c/csswg-drafts#159.
|
The Chromium bug has been fixed. Seems like this issue can be closed now? |
See the context: WICG/webcomponents#497
@rniwa, do you have any preference to this issue? I do not have a strong opinion yet.
The text was updated successfully, but these errors were encountered: