earlier replies
Replying to @FremyCompany @mikewest
These things cause developpers' assumptions to fail, people forget about legacy codepaths, then bugs and crashes appear.
1
1
Guess what is more exploitable? A new css layout mode, or a broken assumption that makes our browser crash somewhere?
1
1
1
Depends on what the new CSS layout mode does, I suppose. :) But seriously, Edge should already have secure context checks baked in.
2
1
Security checks on imperative boundaries are easy enough. Hiding features in a css parser? How do you do that? Ugly hacks...
1
`@supports`? It seems similar to `[SecureContext]` IDL attribute in principle. We hide the interface from JS, we could do the same in CSS?
1
Not arguing it is not possible. I'm arguing that this "http" mode will rot and get buggier and buggier, become a risk by itself.
1
1
Ex: Some IE 9 features ended up leaking in IE 8 mode, enabling you to reach code that was not supposed to run from there, generating crashes
1
One relevant difference is that this could be a cross-browser effort, which means both that the burden of testing is shared via WPT, and...
1
... that the boundaries could be well-defined and specified. That would seem to make it less likely to rot, and easier to fuzz regularly.
2
But it's a real risk I hadn't considered. Thanks for bringing it up!
1
Replying to @mikewest @FremyCompany @supports
Saying that certain CSS properties are secure-context-only is easy. I'm a little more uneasy about more granular features.

Oct 17, 2017 · 6:33 AM UTC

2
Replying to @davidbaron @FremyCompany @supports
IMO, part of whatever bar we end up with should be feature-detectability. But I also feel that every feature should be detectable.
1
1
more replies
Replying to @davidbaron @mikewest @FremyCompany @supports
Per Ian K, per-property is quite easy in our engine too. Within-property requires slightly more work, I think.