Declarative CSS Modules#11687
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces declarative CSS modules support to HTML, allowing CSS to be imported as modules through <style> elements with a specifier attribute and <template> elements with a shadowrootadoptedstylesheets attribute.
- Adds a
specifierattribute to<style>elements that creates module import maps for CSS content - Introduces a
shadowrootadoptedstylesheetsattribute for<template>elements to declaratively adopt CSS modules - Implements algorithms for creating declarative CSS module scripts and stylesheet adoption
Comments suppressed due to low confidence (5)
source:1
- Missing attribute name in IDL definition. Should be
[SameObject, PutForwards=value, Reflect] readonly attribute DOMString <dfn attribute for="HTMLStyleElement" data-x="dom-style-specifier">specifier</dfn>;to match the pattern used for other attributes in this interface.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Grammar error: 'is defines' should be 'defines' - remove the word 'is'.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Grammar error: 'appended with the of the' should be 'appended with the' - remove the duplicate 'the of'.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Logic error: The algorithm references
<var>specifier</var>but this variable is not defined in the algorithm. It should reference the value of theshadowrootadoptedstylesheetsattribute instead.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Incorrect data-x reference: Should be
data-x=\"attr-style-specifier\"notdata-x=\"attr-style-blocking\"for the specifier attribute row.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (9)
source:1
- The IDL attribute should be named to match the content attribute. The content attribute is
specifierbut the IDL should use camelCase convention:[SameObject, PutForwards=value, Reflect] readonly attribute DOMString specifier;should have a data-x attribute defining the DOM property name.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- The
shadowrootadoptedstylesheetsattribute is listed twice in the content attributes section for the template element. This duplication should be removed.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- The
shadowrootadoptedstylesheetsattribute is listed twice in the content attributes section for the template element. This duplication should be removed.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- The algorithm step is missing proper HTML structure. It should end with
</li>and the nested<ol>should be properly closed with</ol>.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- The variable
moduleScriptis referenced but never defined in this algorithm. This should likely be the current module script or settings object context.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- These variable assignments are missing closing
</p>tags. Each should end with</p></li>.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Missing spaces after commas in the parameter list. Should be
<var>fetchClient</var>, <var>destination</var>, <var>options</var>, <var>settingsObject</var>, <var>referrer</var>for consistency.
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Incorrect data-x reference in the table. Line 148289 should reference
data-x=\"element-template\"or similar, notdata-x=\"attr-template-shadowrootclonable\".
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
source:1
- Incorrect data-x reference in the table. Line 148363 should reference
data-x=\"element-style\"instead ofdata-x=\"attr-style-blocking\".
<!-- -*- mode: Text; fill-column: 100 -*- vim: set textwidth=100 :
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
dandclark
left a comment
dandclark
left a comment
There was a problem hiding this comment.
Review in progress, sharing feedback so far.
mhochk
left a comment
mhochk
left a comment
There was a problem hiding this comment.
LGTM (No permissions to actually Approve)
dandclark
left a comment
dandclark
left a comment
There was a problem hiding this comment.
This is coming together nicely. I think the biggest thing still to figure out is to prevent a given <style type=module> from being processed twice. I'm about to head out on leave so I'm going to Approve this since I'm supportive of the direction and I trust that the remaining open issues will be handled appropriately.
| <ol> | ||
| <li><p>Let <var>element</var> be the <code>style</code> element.</p></li> | ||
|
|
||
| <li><p>If <var>element</var> is not <span>connected</span>, then return.</p></li> |
There was a problem hiding this comment.
I guess this is also the point where we'd also check a new equivalent of the already started flag to ensure a given <style type=module> only ever gets processed once?
There was a problem hiding this comment.
Yeah I'll have to think about this a little more. I will likely bring this up soon with the WHATWG.
There was a problem hiding this comment.
It doesn't seem like this got addressed one way or another?
There was a problem hiding this comment.
I'll bring this part up at the next meeting
| of the value of the <span data-x="attr-style-specifier">specifier attribute</span> and a value of | ||
| <var>styleDataURI</var>.</p></li> | ||
|
|
||
| <li><p><span>Create an import map parse result</span> with <var>input</var> as <var>jsonString</var> |
There was a problem hiding this comment.
Create an import map parse result can throw -- do we need to handle any of those cases? The one I particularly had in mind to watch for is does it throw when a given specifier is invalid? If not, do we need to handle an invalid specifier some other way?
There was a problem hiding this comment.
Good question. For now I added a step to look at the importMapParseResult's error to rethrow and to continue if that happens. In practice, we probably want to log something in the console, but this might be enough for the spec.
|
I still think that we can have declarative CSS modules with URLs before we go down the rabbit hole of supporting them in inline styles with something like The main issue with re-importing CSS URLs in shadow DOM is that they are duplicate. <script type=importmap>
{ "mytheme": { type: "css", href: "theme.css" } }
</script>
<my-element>
<template shadowrootadoptedstylesheets="mytheme">...</theme>
</my-element>Or something like: <script type=importmap>
{ "mytheme": { type: "css", href: "theme.css" } }
</script>
<my-element>
<link rel=stylesheetmodule href="theme.css">
<!-- or -->
<link rel=stylesheetmodule href="mytheme">
</my-element>This decouples the issue of deduping stylesheet references from the issue of importing inline styles. |
Thanks @noamr. I've recently split the URL version into its own explainer, see https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/ShadowDOMAdoptedStyleSheets/explainer.md.
This proposal creates an import map entry under-the-hood for the |
annevk
left a comment
annevk
left a comment
There was a problem hiding this comment.
This still looks far from ready to me. I'm also wondering if we have a good story as to how we eventually want to make this consistent with the script element. Will that get a specifier attribute too?
| attribute boolean <span data-x="dom-style-disabled">disabled</span>; | ||
| [<span>CEReactions</span>, <span data-x="xattr-Reflect">Reflect</span>] attribute DOMString <dfn attribute for="HTMLStyleElement" data-x="dom-style-media">media</dfn>; | ||
| [SameObject, PutForwards=<span data-x="dom-DOMTokenList-value">value</span>, <span data-x="xattr-Reflect">Reflect</span>] readonly attribute <span>DOMTokenList</span> <dfn attribute for="HTMLStyleElement" data-x="dom-style-blocking">blocking</dfn>; | ||
| [SameObject, PutForwards=value, Reflect] readonly attribute DOMString specifier; |
There was a problem hiding this comment.
Can you elaborate on this? Are you saying that specifier should be parser-only?
There was a problem hiding this comment.
I believe it's correct now
|
|
||
| <ul> | ||
| <li><p>The element is popped off the <span>stack of open elements</span> of an <span>HTML | ||
| parser</span> or <span>XML parser</span>.</p></li> |
There was a problem hiding this comment.
Is this just a subset of the next condition?
There was a problem hiding this comment.
The next condition is inverted - "The element is not on the..."
This language already exists in https://html.spec.whatwg.org/#the-style-element:update-a-style-block
| <code data-x="dom-Blob-type">type</code> of "<code>text/css</code>".</p></li> | ||
|
|
||
| <li><p>Let <var>styleBlobURL</var> be the <span data-x="concept-url-blob-entry">blob URL entry</span> | ||
| associated with <var>styleBlob</var>.</p></li> |
There was a problem hiding this comment.
This is not how this works. A Blob isn't automatically in a store and concept-url-blob-entry doesn't belong to Blob objects either. (Also, a blob URL entry is a struct, not a URL.)
There was a problem hiding this comment.
This is super helpful, thank you! I updated it to account for this, but it could use another look.
| <var>styleBlobURL</var>.</p></li> | ||
|
|
||
| <li><p>Let <var>jsonString</var> be the result of calling <span>JSON.stringify</span> on | ||
| <var>jsonObject</var>.</p></li> |
There was a problem hiding this comment.
This is wrong. We should be using Infra primitives for JSON.
There was a problem hiding this comment.
But "create an import map parse result" takes a string, should we change that to allow raw JSON?
| <ol> | ||
| <li><p>Let <var>element</var> be the <code>style</code> element.</p></li> | ||
|
|
||
| <li><p>If <var>element</var> is not <span>connected</span>, then return.</p></li> |
There was a problem hiding this comment.
It doesn't seem like this got addressed one way or another?
|
I think that the main issue with this solution, beyond it being tailor-made for styles and ignored for scripts, is that "shadow roots are able to export styles directly to the import map" using an attribute is exotic, as in inconsistent with both how shadow roots work and with how the import map work. Usually shadow roots should not be able to implicitly affect what's outside of them, and this changes that: any shadow root can import something from a specifier and any shadow root can populate the style that corresponds to that specifier. I understand the performance-driven use case for this (sharing styles between custom elements that are nested deep in the DOM without duplicating them) but I think we need to find a design that's less radical in terms of breaking shadow DOM encapsulation. A solution I've brought up before for this was being able to somehow share a style based on an integrity digest, which guarantees that the key and values have some relationship between them, or alternatively having some sort of namespace for CSS modules that is overridable from inside shadow-roots (kind of like |
@annevk - yeah, that is addressed in the explainer - see the table under https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/ShadowDOM/explainer.md#other-declarative-modules |
I don't consider this as breaking encapsulation - the module map is already global and any element in a nested tree scope can already access the global map. Encapsulation is still preserved when styles are applied. This feature just adds ergonomics for style modules without needing a fetch or executing script, which is super useful to developers who want to stream declarative content. |
This is different though. The import map is shared between styles and scripts and here you allow an in-shadow non-script markup to register entries into a map that is generally defined in the head. Eg <style specifier="app.js"> can allow a style to prevent a script from loading in certain situations. Not sure if it's a security risk but at the very least it seems messy for something that is mostly a performance optimization. |
Agreed, that's the biggest issue with this proposal. I wouldn't consider blocking a script a security problem though. And this can be avoided via CSP. The shadow-piercing aspect is super important for the scenarios that are streaming out SSR content. |
I consider this a blocker for this proposal.
How? I don't get it.
I think we need an alternate design where those in-shadow styles are scoped in a way that doesn't interfere with light DOM imports. One way to do this is to scope it to a particular custom element registry. e.g. you can use the This would need some development but I think we need something like that and that giving each in-shadow style element a free for all write permission on the head's importmap is a no-go. |
It isn't actually a security issue though. In your scenario of
The As currently spec'd, this falls under the
This is an interesting idea, I'll ask if it meets the needs of the parties interested in this feature. I am also unsure if it's necessary though - Import Maps aren't currently scoped by shadow root or custom element registries. |
This proposal allows a btw would the work: <template shadowrootmode=open>
<script type=importmap>{ "theme": "data:text/css,* { color: red}"}</script>
</template>If so, what does putting this in a style element attribute add here? If we really want inline styles (and scripts) we can do something with IDs, like: <template shadowrootmode=open>
<script type=importmap>{ "theme": "#theme"}</script>
<style id=theme>* { color: red; } </style>
</template>... with some semantics about when the ID lookup is resolved. This can work for scripts as well and doesn't break the CSP protection of import maps. btw a lot of these concerns were raised in #10673 and I'm surprised that this PR keeps being raised on WHATNOT when these weren't addressed in any satisfactory way. |
This issue (and a few others) would be resolved by using a So now we have this CSP mismatch. I agree that it's an issue, but I think taking the strictest CSP between script and style is a reasonable compromise here. Do you agree?
Yes, that does work today (see https://codepen.io/Kurt-Catti-Schmidt/pen/OPbmzOq). The downsides to this approach are:
I had also discussed using ID's in prior proposals. However, ID's are scoped to the light DOM, and this was a major blocking issue. Declarative Shadow DOM is often used in streaming HTML content, and it is a deal-breaker to need to stream back to the light DOM to define style modules. @justinfagnani provided this feedback in a different proposal that I had to address this problem, but it applies to this suggestion as well: #11019 (comment)
One of the challenges with this proposal is that it bridges several different existing concepts in HTML, and often the resolutions in some areas end up raising concerns in other areas, so we keep having circular conversations. It's been really difficult to get these issues to settle, but I do believe what I have currently is a reasonable compromise based on WHATWG feedback. I really appreciate the time you've spent giving feedback both here and in the working groups and really value the time the WHATNOT has spent discussing this. |
|
Yes, IDs don't work because they are tree-scoped. We need identifiers that are not scoped, which is what makes specifiers useful. Specifiers are also useful because they can point to external CSS files and because they share the same cache as I'm personally very ok with using |
What like protect the specifier attribute as if it was a script? I find that confusing.
I get that IDs are tree scoped but as we said before importmap specifiers aren't, right? e.g. <elem-a>
<template shadowrootmode=open>
<style id=local-theme> elem-a { color: blue } </style>
<script type=importmap>{ "theme-a": "#local-theme" }</script>
</template>
</elem-a>
<elem-b>
<template shadowrootmode=open>
<style id=local-theme> elem-b { color: green } </style>
<script type=importmap>{ "theme-b": "#local-theme" }</script>
</template>
</elem-b> |
| <p>The <dfn element-attr for="style"><code data-x="attr-style-specifier">specifier</code></dfn> | ||
| attribute defines an exportable <span | ||
| data-x="specifier-resolution-record-specifier">specifier</span>.</p> | ||
|
|
There was a problem hiding this comment.
Maybe this could use a tiny bit clarification. specifier is a new thing to expose in any webidl interface, I think, and it isn't super clear to the reader what it might be about. The link to specifier doesn't really help much since that is equally vague.
There was a problem hiding this comment.
Yeah, I agree that the existing definitions are vague. I'll see if there's a better place to link to, or if I need to add a definition here.
| all of the following conditions are true:</p> | ||
|
|
||
| <ul> | ||
| <li><p>The element is popped off the <span>stack of open elements</span> of an <span>HTML |
There was a problem hiding this comment.
The element? Which element exactly? Though, I guess some existing algorithms are equally vague.
There was a problem hiding this comment.
Yeah, this is the language just above https://html.spec.whatwg.org/#update-a-style-block in the existing language. I'm happy to change it there too if there's a better way to phrase it.
| <li><p>Let <var>styleBlobURL</var> be the result of <span data-x="Add a Blob entry">adding a Blob entry</span> | ||
| to the <span>Blob URL Store</span>.</p></li> | ||
|
|
||
| <li><p>Create a JSON object <var>jsonObject</var> with a single key of "<code data-x="">imports</code>" |
There was a problem hiding this comment.
(Looks like the spec is equally vague on what is a "JSON object" elsewhere too, so fine)
Not specifically the specifier attribute, I'm suggesting we gate processing the entire Alternatively, we could look at only the Moving from
This idea is really clever, but I'm unclear of how the styles could be shared between shadow roots. This example defines two exports, but what would imports look like? One issue is that all fragment identifiers in URL's are only accessible in the light DOM today, so |
This means that using style modules would require people to grant script CSP privileges. I don't think that's great security wise.
Sorry it would still be a module type or some such I am not sure this is the right approach but I feel that the current proposal isn't there yet either. |
|
... Though I think in general we should find a solution to sharing styles between elements from the same class/registry that doesn't rely on exporting them to global scope or relies on elevating anything to script priveleges. Eg <style type=module scope=instance|class|registry id=foo> (default is instance) import style from "module:foo" |
Adds support for Declarative CSS Modules via
<style type="module" specifier="specifiername">.shadowrootadoptedstylesheetsis handled in this PR: #12339(See WHATWG Working Mode: Changes for more details.)
Addresses #10673
/acknowledgements.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/obsolete.html ( diff )
/scripting.html ( diff )
/semantics.html ( diff )