API inconsistency: Chrome's tabs.insertCSS and scripting.insertCSS for "author" origin inject at the "user" origin position #906
Description
When the origin is "author" (this is the default setting) Chrome's tabs.insertCSS and scripting.insertCSS incorrectly inject the extension's CSS before the document's own stylesheets [source code] i.e. at the cascade position of the "user" origin, which is a bug.
This is a problem for extensions like Stylus that apply CSS themes to websites as they can't use this API due to this bug and have to add them in a DOM <style> element, which may be used for fingerprinting by websites or interstitials like Cloudflare's.
This is broken since 2017 and was reported several years ago in https://crbug.com/40237190. The last action from Chrome devs was a suggestion to add a new parameter in the API. Such caution doesn't apply here for several reasons:
- Inconsistency: Chrome behaves incorrectly, Firefox behaves correctly.
- Existing extensions are unlikely to rely on the bug as their goal is to override the page which they achieve by adding
!importantand optionally setting the "user" origin. - Even if the bug has been used by one or two extensions, it shouldn't preclude Chrome devs from just fixing it.
- The practical usefulness of a new parameter is questionable, it may end up being an unused arcane oddity.
So ideally this bug should be just fixed but just in case a possible parameter could be a boolean overridePage or authorOverride:
false= beforedocumentstyle sheets - this is what Chrome devs suggested to be default.true= after document.adoptedStyleSheets or any future API indocument- this is the default I suggest.
It should be documented though that this parameter applies only to the "author" mode.