Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[mediaqueries-5] Account for CSP restrictions in the scripting feature #8653

Open
hackademix opened this issue Mar 28, 2023 · 3 comments
Open

[mediaqueries-5] Account for CSP restrictions in the scripting feature #8653

hackademix opened this issue Mar 28, 2023 · 3 comments
Labels
mediaqueries-5

Comments

@hackademix
Copy link

Regarding the @media scripting features, value none, the current specification reads:

[...]the value of the scripting media feature should be enabled or initial-only if scripts originating on the same domain as the document are allowed to run, and none otherwise.

Security and privacy browser extensions such NoScript, uBlock Origin or uMatrix currently use CSP directives (typically script-src and script-src-elem) to turn off JavaScript on certain sites of users' choice, and use DOM manipulation to display the content of <noscript> elements (which are not affected by CSP) and provide users with the authors' intended feedback. Of course the JavaScript-toggled CSS classes approach works out of the box.

It would be great if this new feature took in account CSP disabling script execution on the document, making explicit that the value should be none for that case. Otherwise the aforementioned tools would need to scan all the CSS rules applied to the page and manipulate them to force those matching scripting none, which would a ugly, inefficient hack.
@CanadaHonk
Copy link
Contributor

Personally I like this idea but not sure if it's something that would/should be considered under the spec itself since it's more specifically for the case of external extensions (since no site would need to check if scripting is enabled/disabled if they knew CSP would block it anyway).

@emilio
Copy link
Collaborator

emilio commented Mar 28, 2023

I think this media feature should match <noscript> behavior.

It may be the case that <noscript> should do this tho... Right now <noscript> uses this, maybe it should account for script-src 'none' or so.

But yeah this discussion maybe should be in https://github.com/whatwg/html/issues/new

@tabatkins
Copy link
Member

Agreed that the noscript element should probably trigger when CSP shuts off scripting for the page (and that's an HTML issue, not a CSS one).

For CSS, the MQ is defined using generic language intentionally - if scripting is disabled, it should match. I do think it's ideal for us to match the noscript element, tho, and so UAs should be consistent in that regard.

@hackademix hackademix mentioned this issue Apr 3, 2023
Open
@fantasai fantasai changed the title [mediaqueries][mediaqueries-5] Account for CSP restrictions in the scripting feature [mediaqueries-5] Account for CSP restrictions in the scripting feature Jun 1, 2023
@lukewarlow lukewarlow mentioned this issue Sep 17, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mediaqueries-5
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hackademix @tabatkins @fantasai @emilio @CanadaHonk