Page MenuHomePhabricator
Create Task
Maniphest T361934

Support CSS variable fallbacks in template styles
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

Background

  • Add one sentence summary on why were are doing this ticket with relevant context. Ensure you add context on how the outcome of this ticket will affect the end user.

User story

As a template editor I need to use CSS variables in a way that supports all Wikimedia deployed skins.

Requirements

It should be possible to edit https://en.wikipedia.beta.wmflabs.org/wiki/Template:Tracked/styles.css so that it uses fallbacks like follows and save without error:

.tracked {
	float: right;
	clear: right;
	margin: 0 0 1em 1em;
	width: 12em;
	border: 1px solid var( --border-color-interactive, #72777d );
	border-radius: 2px;
	background-color: var( --background-color-neutral, #eaecf0 );
	font-size: 85%;
	text-align: center;
	padding: 0.5em;
}

Communication criteria - does this need an announcement or discussion?

  • We will run a user-notice once the feature is in production.

Details

SubjectRepoBranchLines +/-
Update CSS sanitizer to 5.3.0mediawiki/vendormaster+120 -71
Allow wikimedia/css-sanitizer at 5.3.0mediawiki/extensions/TemplateStylesmaster+1 -1
feat(css-sanitizer): Improve color parsing var func fallback valuescss-sanitizermaster+80 -47
Harden security by disallowing custom properties for `border-color`css-sanitizermaster+89 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jdlrobson created this task.Apr 5 2024, 12:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 5 2024, 12:03 PM
Jdlrobson renamed this task from Web Task Creation Form to Support CSS variable fallbacks in template styles.Apr 5 2024, 12:03 PM
Jdlrobson added projects: TemplateStyles, css-sanitizer.
Jdlrobson added a parent task: T360562: CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles.
Jdlrobson updated the task description. (Show Details)
gerritbot added a comment.Apr 5 2024, 12:04 PM

Change #1017080 had a related patch set uploaded (by Jdlrobson; author: Mabualruz):

[css-sanitizer@master] feat(css-sanitizer): Improve color parsing var func fallback values

https://gerrit.wikimedia.org/r/1017080

gerritbot added a project: Patch-For-Review.Apr 5 2024, 12:04 PM
Jdlrobson mentioned this in T360562: CSS sanitizer should support using CSS variables (not setting/creating them) for use in color values in TemplateStyles.Apr 5 2024, 12:06 PM
Jdlrobson triaged this task as High priority.Apr 5 2024, 12:09 PM
SnorlaxMonster subscribed.Apr 5 2024, 12:11 PM
cscott subscribed.Apr 5 2024, 12:30 PM

Why do we need fallback values? On project, the custom properties should always be defined by codex, etc, and I'd think we'd actually want to hard fail with an error if an unknown property is referenced, rather than fallback.

Custom properties are a signficant potential security issue, and I think we'd want to keep our support as simple as possible. The more weird cases we introduce, the more likely it is that we open up a hole where someone can bypass the sanitizer by combining properties in unusual ways. Significantly, "The allowed syntax for custom properties is extremely permissive. The <declaration-value> production matches any sequence of one or more tokens..." so I think we want to error on the side of sharply limiting what custom properties we allow where, rather than move in the direction of allowing custom properties in their full flexibility.

cscott added a comment.EditedApr 5 2024, 12:33 PM

The idea of skin-specific custom properties arose, but I think that can be done without adding additional var() syntax like so:

background-color: #fa11bac;
background-color: var(--skin-specific-custom-property);

As I understand it, the second declaration is "guaranteed invalid" if the skin specific custom property isn't defined, so this will use the first property in this case.

EDIT: actually I think I misunderstood the meaning of "guaranteed invalid" in the spec (https://www.w3.org/TR/css-variables-1/#invalid-variables) and the inheritance won't actually work the way I expected it would. Can someone else double-check my logic and figure out whether this can be done in another way without requiring more custom-property syntax?

EDIT: yes, I misunderstood. See below for other concerns.

hgzh subscribed.Apr 5 2024, 12:42 PM
Escargot_rouge subscribed.Apr 5 2024, 1:05 PM
Mabualruz lowered the priority of this task from High to Medium.Apr 5 2024, 1:07 PM
Mabualruz added subscribers: stjn, Mabualruz.

Based on the latest feedback and discussion here and on T360562, I think Medium is more fitting for now.

And I also recommended adding the current support examples for fallback, somewhere for the community to check on.

I want still to understand the security risks of var() and attr() functions in CSS in our projects, maybe we can do proper secure support if possible.

I also think @stjn have some different concerns that he left on https://phabricator.wikimedia.org/T360562#9692634

Just FYI I will be on vacation starting the end of day for 2 weeks, just in case I do not reply or being slow to do so

gerritbot added a comment.Apr 5 2024, 1:16 PM

Change #1017080 had a related patch set uploaded (by Mabualruz; author: Mabualruz):

[css-sanitizer@master] feat(css-sanitizer): Improve color parsing var func fallback values

https://gerrit.wikimedia.org/r/1017080

stjn added a comment.Apr 5 2024, 1:25 PM
In T361934#9692567, @cscott wrote:

EDIT: actually I think I misunderstood the meaning of "guaranteed invalid" in the spec (https://www.w3.org/TR/css-variables-1/#invalid-variables) and the inheritance won't actually work the way I expected it would. Can someone else double-check my logic and figure out whether this can be done in another way without requiring more custom-property syntax?

Copying the comment: unless you hard-code something to switch it to var( --skin-specific, #fff ), this example would lead to override of #fff to an empty value in all the browsers supporting var() in case --skin-specific is undefined.

cscott added a comment.EditedApr 5 2024, 1:37 PM

I'm already worried about the token-gluing possible with:

border: var(--foo) var(--bar) var(--bat);

which is allowed by the current patch. I guess adding default values doesn't make this *worse* but the semantics of var are already very worrying from a security standpoint. As long as users can't define their own custom properties we're probably okaaay, but we're relying on Codex and Skin authors not to inadvertently define custom properties that can be abused by concatenating them in unusual and unexpected ways.

We could consider locking this down by allowing var *only* in places where repetition (UnorderedGroup::someOf in css-sanitizer) isn't allowed, like allowing in background-color but not background, and in border-*-color but not border-color (which allows 4 vars to be concatenated) or border.

EDIT: UnorderedGroup::someOf actually prohibits repetition. It's only Quantifier which would be problematic, and even there Quantifier::optional is fine and Quantifier::hash requires the values to be comma-separated, which would probably complicate any concatenation-based attack. With all that in mind, border-color seems the only problematic property, which allows up to four var properties to be concatenated:

* { border-color: var(--foo) var(--bar) var(--bat) var(--baz); }

As another mitigation, apparently url() is treated as a single token, and var must evaluate to a series of tokens. So you /probably/ can't abuse this to prepend javascript: to a URL, for example.

But I still think it may be worthwhile to restrict var in border-color to be safe, and I might consider restricting it in the comma-separated cases, box-shadow and text-shadow, although in both of those cases there are also required numeric elements as well complicating the concatenation.

Jdrewniak subscribed.Apr 5 2024, 2:01 PM
gerritbot added a comment.Apr 5 2024, 2:45 PM

Change #1017299 had a related patch set uploaded (by C. Scott Ananian; author: C. Scott Ananian):

[css-sanitizer@master] Harden security by disallowing custom properties for `border-color`

https://gerrit.wikimedia.org/r/1017299

gerritbot added a comment.Apr 5 2024, 4:18 PM

Change #1017299 merged by jenkins-bot:

[css-sanitizer@master] Harden security by disallowing custom properties for `border-color`

https://gerrit.wikimedia.org/r/1017299

gerritbot added a comment.Apr 5 2024, 4:19 PM

Change #1017080 merged by jenkins-bot:

[css-sanitizer@master] feat(css-sanitizer): Improve color parsing var func fallback values

https://gerrit.wikimedia.org/r/1017080

cscott mentioned this in rCSSS34b37a6a1c9a: Harden security by disallowing custom properties for `border-color`.Apr 5 2024, 4:20 PM
cscott mentioned this in rCSSS56912a6a37cd: feat(css-sanitizer): Improve color parsing var func fallback values.
cscott mentioned this in T361956: Application Security Review Request : css-sanitizer custom property support.Apr 5 2024, 4:39 PM
Ciencia_Al_Poder subscribed.Apr 5 2024, 5:16 PM
SToyofuku-WMF subscribed.Apr 5 2024, 5:18 PM
Lofhi subscribed.Apr 5 2024, 6:30 PM
ovasileva moved this task from Incoming to Ready for Signoff on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.Tue, Apr 9, 4:45 PM
ovasileva assigned this task to Jdlrobson.Mon, Apr 15, 5:15 PM
ovasileva raised the priority of this task from Medium to High.
ovasileva edited projects, added Web-Team-Backlog; removed Web-Team-Backlog (FY2023-24 Q4 Sprint 1).
ovasileva edited projects, added Web-Team-Backlog (FY2023-24 Q4 Sprint 1); removed Web-Team-Backlog.
ovasileva moved this task from Ready for Signoff to Blocked on Others on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.
Jdlrobson moved this task from Blocked on Others to Doing on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.Tue, Apr 16, 4:51 PM
Jdlrobson moved this task from Backlog to Night mode (mobile) on the FY2023-24-WE 2.1 Typography and palette customizations board.Wed, Apr 17, 3:55 PM
Jdlrobson moved this task from Doing to Blocked on Others on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.Wed, Apr 17, 6:11 PM
Jdlrobson added a comment.Wed, Apr 17, 8:08 PM

I discussed this with C Scott yesterday and we agreed to push ahead with a release to make sure the solution we've landed on is complete. This may be delayed as @cscott is attending an event this week.

Once that's done I'll follow up with the security team on T361956.

Jdlrobson moved this task from Blocked on Others to Doing on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.Thu, Apr 18, 8:51 PM
gerritbot added a comment.Thu, Apr 18, 8:53 PM

Change #1021564 had a related patch set uploaded (by Jdlrobson; author: Jdlrobson):

[mediawiki/extensions/TemplateStyles@master] Update wikimedia/css-sanitizer to 5.3.0

https://gerrit.wikimedia.org/r/1021564

gerritbot added a comment.Thu, Apr 18, 8:56 PM

Change #1021567 had a related patch set uploaded (by Jdlrobson; author: Jdlrobson):

[mediawiki/vendor@master] Update CSS sanitizer to 5.3.0

https://gerrit.wikimedia.org/r/1021567

Jdlrobson moved this task from Doing to Blocked on Others on the Web-Team-Backlog (FY2023-24 Q4 Sprint 1) board.Thu, Apr 18, 8:57 PM
Jdlrobson set the point value for this task to 1.Tue, Apr 23, 4:47 PM
ovasileva edited projects, added Web-Team-Backlog (FY2023-24 Q4 Sprint 2); removed Web-Team-Backlog (FY2023-24 Q4 Sprint 1).Tue, Apr 23, 4:51 PM
ovasileva moved this task from Backlog to Blocked on Others on the Web-Team-Backlog (FY2023-24 Q4 Sprint 2) board.
gerritbot added a comment.Tue, Apr 23, 5:57 PM

Change #1021564 merged by jenkins-bot:

[mediawiki/extensions/TemplateStyles@master] Allow wikimedia/css-sanitizer at 5.3.0

https://gerrit.wikimedia.org/r/1021564

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.3; 2024-04-30).Tue, Apr 23, 6:00 PM
gerritbot added a comment.Tue, Apr 23, 6:25 PM

Change #1021567 merged by jenkins-bot:

[mediawiki/vendor@master] Update CSS sanitizer to 5.3.0

https://gerrit.wikimedia.org/r/1021567

Jdlrobson moved this task from Blocked on Others to QA on the Web-Team-Backlog (FY2023-24 Q4 Sprint 2) board.Tue, Apr 23, 7:01 PM
Jdlrobson removed a project: MW-1.43-notes (1.43.0-wmf.3; 2024-04-30).
Jdlrobson moved this task from QA to Ready for Signoff on the Web-Team-Backlog (FY2023-24 Q4 Sprint 2) board.

I have confirmed on beta cluster the requirements have been met.

Jdlrobson closed this task as Resolved.Thu, Apr 25, 4:38 PM

This will be available in production from 2nd May.

hgzh added a comment.Thu, Apr 25, 5:14 PM

Before I start using this onwiki: is there a risk of this later being revoked following the security review?

Jdlrobson added a comment.Thu, Apr 25, 10:37 PM

Hi @hgzh I checked in with the security team and we feel like it's unlikely we'd completely revoke the functionality, particularly for color properties. The worst that could probably happen is further sanitizing or limiting certain css fallback values and that would need to consider at least temporary backwards compatibility with on-wiki usages. I personally I would feel comfortable recommending using the following:

.foo {
  color: #202122; /* define this in case next line gets stripped (very unlikely in this particular case) , this also supports really old browsers*/
  color: var( --color-base, #202122 ); /* make sure to use the fallback if important for when color-base is not defined by the skin - true for Monobook for example */
}

Hope this helps!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL