fix: prevent embedded styles to leak main document (#19221)

* fix: prevent embedded styles to leak main document

When using an exported a themed Flow web-component, Lumo style may leak
the embedding document, causing invalid CSS rules to be applied.
This change prevents applying Lumo global imports when the theme is
applied to a web-component.

Fixes #12704

* apply review suggestions

Author: mcollovati

flow-server/src/main/java/com/vaadin/flow/server/frontend/AbstractUpdateImports.java

@@ -43,8 +43,6 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import org.slf4j.Logger;
-
 import com.vaadin.flow.internal.StringUtil;
 import com.vaadin.flow.internal.UrlUtil;
 import com.vaadin.flow.server.Constants;
@@ -55,6 +53,7 @@
 import com.vaadin.flow.server.frontend.scanner.FrontendDependenciesScanner;
 import com.vaadin.flow.shared.ApplicationConstants;
 import com.vaadin.flow.theme.AbstractTheme;
+import org.slf4j.Logger;
 
 import static com.vaadin.flow.server.Constants.COMPATIBILITY_RESOURCES_FRONTEND_DEFAULT;
 import static com.vaadin.flow.server.Constants.PACKAGE_JSON;
@@ -96,6 +95,8 @@ abstract class AbstractUpdateImports implements Runnable {
             + " return !ae || ae.blur() || ae.focus() || true;\n" + "}";
     private static final String IMPORT_TEMPLATE = "import '%s';";
     private static final Pattern STARTING_DOT_SLASH = Pattern.compile("^\\./+");
+    private static final Pattern VAADIN_LUMO_GLOBAL_IMPORT = Pattern
+            .compile(".*@vaadin/vaadin-lumo-styles/.*-global.js.*");
     final Options options;
 
     private final UnaryOperator<String> themeToLocalPathConverter;
@@ -106,7 +107,8 @@ abstract class AbstractUpdateImports implements Runnable {
 
     private ClassFinder classFinder;
 
-    private final File generatedFlowImports;
+    final File generatedFlowImports;
+    final File generatedFlowWebComponentImports;
     private final File generatedFlowDefinitions;
     private File chunkFolder;
 
@@ -123,6 +125,11 @@ abstract class AbstractUpdateImports implements Runnable {
         generatedFlowDefinitions = new File(
                 generatedFlowImports.getParentFile(),
                 FrontendUtils.IMPORTS_D_TS_NAME);
+
+        generatedFlowWebComponentImports = new File(
+                FrontendUtils.getFlowGeneratedWebComponentsFolder(
+                        options.getFrontendDirectory()),
+                FrontendUtils.IMPORTS_WEB_COMPONENT_NAME);
         this.chunkFolder = new File(generatedFlowImports.getParentFile(),
                 "chunks");
 
@@ -138,6 +145,8 @@ public void run() {
 
         Map<File, List<String>> output = process(css, javascript);
         writeOutput(output);
+        writeWebComponentImports(
+                filterWebComponentImports(output.get(generatedFlowImports)));
 
         getLogger().debug("Imports and chunks update took {} ms.",
                 TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - start));
@@ -198,6 +207,29 @@ protected void writeOutput(Map<File, List<String>> outputFiles) {
         }
     }
 
+    // Visible for test
+    List<String> filterWebComponentImports(List<String> lines) {
+        if (lines != null) {
+            // Exclude Lumo global imports for exported web-component
+            return lines.stream()
+                    .filter(VAADIN_LUMO_GLOBAL_IMPORT.asPredicate().negate())
+                    .collect(Collectors.toList());
+        }
+        return lines;
+    }
+
+    private void writeWebComponentImports(List<String> lines) {
+        if (lines != null) {
+            try {
+                FileIOUtils.writeIfChanged(generatedFlowWebComponentImports,
+                        lines);
+            } catch (IOException e) {
+                throw new IllegalStateException(
+                        "Failed to update the generated Flow imports", e);
+            }
+        }
+    }
+
     /**
      * Processes what the scanner found and produces a set of files to write to
      * the generated folder.

flow-server/src/main/java/com/vaadin/flow/server/frontend/FrontendUtils.java

@@ -178,6 +178,12 @@ public class FrontendUtils {
      */
     public static final String IMPORTS_D_TS_NAME = "generated-flow-imports.d.ts";
 
+    /**
+     * Name of the file that contains application imports, javascript, theme and
+     * style annotations used when embedding Flow as web-component.
+     */
+    public static final String IMPORTS_WEB_COMPONENT_NAME = "generated-flow-webcomponent-imports.js";
+
     public static final String THEME_IMPORTS_D_TS_NAME = "theme.d.ts";
     public static final String THEME_IMPORTS_NAME = "theme.js";
 

flow-server/src/main/java/com/vaadin/flow/server/frontend/NodeUpdater.java

@@ -202,6 +202,8 @@ static Set<String> getGeneratedModules(File frontendFolder) {
         return FileUtils
                 .listFiles(webComponentsFolder, new String[] { "js" }, true)
                 .stream()
+                .filter(file -> !FrontendUtils.IMPORTS_WEB_COMPONENT_NAME
+                        .equals(file.getName()))
                 .map(file -> unixPath
                         .apply(baseDir.relativize(file.toURI()).getPath()))
                 .collect(Collectors.toSet());

flow-server/src/main/java/com/vaadin/flow/server/frontend/TaskGenerateWebComponentBootstrap.java

@@ -52,8 +52,8 @@ public class TaskGenerateWebComponentBootstrap
     protected String getFileContent() {
         List<String> lines = new ArrayList<>();
 
-        lines.add(
-                "import 'Frontend/generated/flow/generated-flow-imports.js';");
+        lines.add("import 'Frontend/generated/flow/web-components/"
+                + FrontendUtils.IMPORTS_WEB_COMPONENT_NAME + "';");
         lines.add("import { init } from '" + FrontendUtils.JAR_RESOURCES_IMPORT
                 + "FlowClient.js';");
         lines.add("init();");

flow-server/src/main/resources/plugins/application-theme-plugin/theme-generator.js

@@ -81,6 +81,7 @@ function writeThemeFiles(themeFolder, themeName, themeProperties, options) {
 
   themeFileContent += `let needsReloadOnChanges = false;\n`;
   const imports = [];
+  const deferredImports = [];
   const componentCssImports = [];
   const globalFileContent = [];
   const globalCssCode = [];
@@ -118,7 +119,9 @@ function writeThemeFiles(themeFolder, themeName, themeProperties, options) {
       imports.push(`import { ${lumoImport} } from '@vaadin/vaadin-lumo-styles/${lumoImport}.js';\n`);
       if (lumoImport === 'utility' || lumoImport === 'badge' || lumoImport === 'typography' || lumoImport === 'color') {
         // Inject into main document the same way as other Lumo styles are injected
-        imports.push(`import '@vaadin/vaadin-lumo-styles/${lumoImport}-global.js';\n`);
+        // Defer import at runtime to prevent leaking document when theme is applied
+        // to an embedded component
+        deferredImports.push(`import('@vaadin/vaadin-lumo-styles/${lumoImport}-global.js');\n`);
       }
     });
 
@@ -220,6 +223,8 @@ function writeThemeFiles(themeFolder, themeName, themeProperties, options) {
     const removers = [];
     if (target !== document) {
       ${shadowOnlyCss.join('')}
+    } else {
+      ${deferredImports.join('\n')}
     }
     ${parentTheme}
     ${globalCssCode.join('')}

flow-server/src/test/java/com/vaadin/flow/server/frontend/AbstractUpdateImportsTest.java

@@ -31,6 +31,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Predicate;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -124,6 +125,7 @@ public static class FooCssImport2 extends Component {
     class UpdateImports extends AbstractUpdateImports {
 
         private Map<File, List<String>> output;
+        private List<String> webComponentImports;
 
         UpdateImports(FrontendDependenciesScanner scanner, Options options) {
             super(options, scanner);
@@ -134,6 +136,12 @@ protected void writeOutput(Map<File, List<String>> output) {
             this.output = output;
         }
 
+        @Override
+        List<String> filterWebComponentImports(List<String> lines) {
+            webComponentImports = super.filterWebComponentImports(lines);
+            return webComponentImports;
+        }
+
         public Map<File, List<String>> getOutput() {
             return output;
         }
@@ -398,13 +406,41 @@ public void generate_containsLumoThemeFiles() {
         updater.run();
 
         assertContainsImports(true, "@vaadin/vaadin-lumo-styles/color.js",
+                "@vaadin/vaadin-lumo-styles/color-global.js",
                 "@vaadin/vaadin-lumo-styles/typography.js",
+                "@vaadin/vaadin-lumo-styles/typography-global.js",
                 "@vaadin/vaadin-lumo-styles/sizing.js",
                 "@vaadin/vaadin-lumo-styles/spacing.js",
                 "@vaadin/vaadin-lumo-styles/style.js",
                 "@vaadin/vaadin-lumo-styles/icons.js");
     }
 
+    @Test
+    public void generate_embeddedImports_doNotContainLumoGlobalThemeFiles()
+            throws IOException {
+        updater.run();
+
+        List<String> flowImports = new ArrayList<>(
+                updater.getOutput().get(updater.generatedFlowImports));
+
+        Predicate<String> lumoGlobalsMatcher = Pattern
+                .compile("@vaadin/vaadin-lumo-styles/.*-global.js")
+                .asPredicate();
+        assertTrue(flowImports.stream().anyMatch(lumoGlobalsMatcher));
+
+        assertTrue(
+                "Import for web-components should not contain lumo global imports",
+                updater.webComponentImports.stream()
+                        .noneMatch(lumoGlobalsMatcher));
+
+        // Check that imports other than lumo globals are the same
+        flowImports.removeAll(updater.webComponentImports);
+        assertTrue(
+                "Flow and web-component imports must be the same, except for lumo globals",
+                flowImports.stream().allMatch(lumoGlobalsMatcher));
+
+    }
+
     @Test
     public void jsModulesOrderIsPreservedAnsAfterJsModules() {
         updater.run();

flow-server/src/test/java/com/vaadin/flow/server/frontend/NodeTestComponents.java

@@ -157,7 +157,9 @@ public static class MainView extends Component {
      * Lumo component theme class implementation.
      */
     @JsModule("@vaadin/vaadin-lumo-styles/color.js")
+    @JsModule("@vaadin/vaadin-lumo-styles/color-global.js")
     @JsModule("@vaadin/vaadin-lumo-styles/typography.js")
+    @JsModule("@vaadin/vaadin-lumo-styles/typography-global.js")
     @JsModule("@vaadin/vaadin-lumo-styles/sizing.js")
     @JsModule("@vaadin/vaadin-lumo-styles/spacing.js")
     @JsModule("@vaadin/vaadin-lumo-styles/style.js")

flow-server/src/test/java/com/vaadin/flow/server/frontend/NodeUpdateTestUtil.java

@@ -85,7 +85,9 @@ List<String> getExpectedImports() {
                 "@vaadin/vaadin-lumo-styles/icons.js",
                 "@vaadin/vaadin-lumo-styles/style.js",
                 "@vaadin/vaadin-lumo-styles/typography.js",
+                "@vaadin/vaadin-lumo-styles/typography-global.js",
                 "@vaadin/vaadin-lumo-styles/color.js",
+                "@vaadin/vaadin-lumo-styles/color-global.js",
                 "@vaadin/vaadin-lumo-styles/sizing.js",
                 "@vaadin/vaadin-date-picker/theme/lumo/vaadin-date-picker.js",
                 "@vaadin/vaadin-date-picker/src/vaadin-month-calendar.js",

flow-server/src/test/java/com/vaadin/flow/server/frontend/TaskGenerateWebComponentBootstrapTest.java

@@ -17,16 +17,15 @@
 
 import java.io.File;
 
+import com.vaadin.flow.di.Lookup;
+import com.vaadin.flow.server.ExecutionFailedException;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 import org.mockito.Mockito;
 
-import com.vaadin.flow.di.Lookup;
-import com.vaadin.flow.server.ExecutionFailedException;
-
 import static com.vaadin.flow.server.frontend.FrontendUtils.DEFAULT_FRONTEND_DIR;
 
 public class TaskGenerateWebComponentBootstrapTest {
@@ -56,8 +55,9 @@ public void should_importGeneratedImports()
             throws ExecutionFailedException {
         taskGenerateWebComponentBootstrap.execute();
         String content = taskGenerateWebComponentBootstrap.getFileContent();
-        Assert.assertTrue(content.contains("import 'Frontend/generated/flow/"
-                + FrontendUtils.IMPORTS_NAME + "'"));
+        Assert.assertTrue(content
+                .contains("import 'Frontend/generated/flow/web-components/"
+                        + FrontendUtils.IMPORTS_WEB_COMPONENT_NAME + "'"));
     }
 
     @Test

flow-server/src/test/java/com/vaadin/flow/server/frontend/scanner/FullDependenciesScannerTest.java

@@ -338,7 +338,7 @@ public void getModules_explcitTheme_returnAllModulesExcludingNotUsedTheme_getCla
                     return null;
                 }, null);
 
-        DepsTests.assertImportCount(26, scanner.getModules());
+        DepsTests.assertImportCount(28, scanner.getModules());
         List<String> modules = DepsTests.merge(scanner.getModules());
         assertJsModules(modules);