[patch][cla] dojox/html/styles throws SecurityError

[Wouter Hager]

A same origin violation error is thrown when dojox/html/styles encounters a stylesheet from another domain.

dojox/data/CssRuleStore has the same problem, see #16096

[Wouter Hager]

please review attached patch

[bill]

FYI, patches should be submitted as pull requests, see ​https://github.com/dojo/dojo/blob/master/CONTRIBUTING.md#submitting-a-pull-request.

In this case though I don't see the point of this change. All you are doing is silently surpressing an error message. The stylesheet load still doesn't work.

[Wouter Hager]

Apologies, I would be happy to create PRs as it's less of a hassle, but I thought I had to provide a patch. And apologies again, I had a working fix, but made a small edit without testing. I'll try again later today.

[Wouter Hager]

​https://github.com/dojo/dojox/pull/99

[Wouter Hager]

Hi Bill, I'm not quite sure what you expect. Catching the silent error means that the script will just continue loading other stylesheets, won't it?

[bill]

That's what I would guess. Do you think that's a good thing? Isn't it better to tell the app developer that they have a problem and they need to fix it?

[Wouter Hager]

I'd warn about it in the console. That way the developer at least gets some info. A solution would be to add a CORS attribute to the <link> element, but that's HTML5, so I can't put that in the warning.

I think files loaded from CDN should be ignored anyway.

So all in all I think it's a good enough idea.

[Wouter Hager]

Hm well maybe you're right. But the error shouldn't be silent. I'll try to find out why it is.

[bill]

I definitely agree that the error shouldn't be silent. I'm not familiar with the code you are changing; perhaps the error occurs in a separate thread, asynchronously?

[Wouter Hager]

My mistake, it's not silent. Sorry, don't know why I thought it was.

[Wouter Hager]

Ah I understand, the error is silent in dojox/data/css.js. see #16096

That's probably why I filed this in the first place, I must have mixed up the issues.

[bill]

OK, so this ticket (and associated pull request) should be closed?

[Wouter Hager]

Well I stil think a warning (and more verbose) would be better. Not allowed to read one css doesn't mean all should fail. This is a convenience class to begin with. But that is my opinion, so I leave it up to you.

[dylan]

@wshager, at this point, I think you know this code as much as anyone that's active, so if you have an alternative patch to propose, we'll consider it. Thanks!

[Wouter Hager]

I've added a warning. I think this convenience should be convenient.

[Wouter Hager]

Please note that CSS from CDN (ajax.googleapis.com/ajax/libs/dojo) prevents mimetype sniffing. That probably causes the issue in my code.

[bill]

I'm fine with any changes, you can change it to a warning if you like. I guess throwing exceptions doesn't work if you are in a separate thread (i.e. an asynchronous callback).

[dylans <[email protected]…>]

In 8f4fb8519532b1a02ee8043eddb24852e8222833/dojox:

Error: Processor CommitTicketReference failed

Unsupported version control system "git": Can't find an appropriate component, maybe the corresponding plugin was not enabled?