[Webkit-unassigned] [Bug 194327] New: Inline style incorrectly does reads and writes properties on Object.prototype

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 5 19:46:00 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=194327

            Bug ID: 194327
           Summary: Inline style incorrectly does reads and writes
                    properties on Object.prototype
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Bindings
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: esprehn at chromium.org
                CC: cdumez at apple.com

ex.

Object.prototype.color = "wtf";

makes every style object in the entire document report "wtf" for the color property.

document.createElement("div").style.color == "wtf"

Also doing element.style.color = 'anything' will then set a data property on the instance but not update the actual style.

Per https://drafts.csswg.org/cssom/#the-cssstyledeclaration-interface

I think webkit should probably make these getters and setters instead of data properties:

"""
For each CSS property property that is a supported CSS property, the following partial interface applies where camel-cased attribute is obtained by running the CSS property to IDL attribute algorithm for property.

partial interface CSSStyleDeclaration {
  [CEReactions] attribute [TreatNullAs=EmptyString] CSSOMString _camel_cased_attribute;
};

For each CSS property property that is a supported CSS property, except for properties that have no "-" (U+002D) in the property name, the following partial interface applies where dashed attribute is property.

partial interface CSSStyleDeclaration {
  [CEReactions] attribute [TreatNullAs=EmptyString] CSSOMString _dashed_attribute;
};
"""

Firefox does currently follow this spec, though Chrome does not:

Object.getOwnPropertyDescriptor(document.body.style.__proto__, 'paddingTop') // getter/setter in Firefox, doesn't exist in Chrome and Safari.
Object.getOwnPropertyDescriptor(document.body.style.__proto__, 'padding-top') // getter/setter in Firefox, doesn't exist in Chrome and Safari.
Object.getOwnPropertyDescriptor(document.body.style, 'padding-top') // data property in Chrome and Safari, doesn't exist in Firefox.
Object.getOwnPropertyDescriptor(document.body.style, 'paddingTop') // data property in Chrome and Safari, doesn't exist in Firefox.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190206/0809a356/attachment.html>

More information about the webkit-unassigned mailing list