From 6ed41ea3468b7c3156a319741510332184ed5c4d Mon Sep 17 00:00:00 2001
From: Navid EMAD <navid.emad@yespark.fr>
Date: Sat, 16 May 2026 19:03:15 +0200
Subject: [PATCH 1/6] Add --enable-external-stylesheets flag (no-op surface)

Reserves the CLI flag and LP.configureLoading externalStylesheets field
so drivers can adopt the API before the fetch implementation lands in a
follow-up that depends on #2303.

The bool is intentionally unread in this PR. Mirrors the existing
--disable-subframes / --disable-workers plumbing; the CDP field extends
LP.configureLoading alongside subFrame and worker without breaking
existing callers.

Refs #2343
---
 src/Config.zig          |  8 ++++++++
 src/browser/Session.zig | 10 ++++++++++
 src/cdp/domains/lp.zig  | 35 +++++++++++++++++++++++++++++++++++
 src/help.zon            | 14 ++++++++++++++
 4 files changed, 67 insertions(+)

diff --git a/src/Config.zig b/src/Config.zig
index 9013ab35..2bedfd1f 100644
--- a/src/Config.zig
+++ b/src/Config.zig
@@ -100,6 +100,7 @@ const CommonOptions = .{
     .{ .name = "storage_sqlite_path", .type = ?[:0]const u8 },
     .{ .name = "disable_subframes", .type = bool },
     .{ .name = "disable_workers", .type = bool },
+    .{ .name = "enable_external_stylesheets", .type = bool },
 };
 
 fn dumpValidator(_: Allocator, args: *std.process.ArgIterator) !?DumpFormat {
@@ -254,6 +255,13 @@ pub fn disableWorkers(self: *const Config) bool {
     };
 }
 
+pub fn enableExternalStylesheets(self: *const Config) bool {
+    return switch (self.mode) {
+        inline .serve, .fetch, .mcp => |opts| opts.enable_external_stylesheets,
+        else => unreachable,
+    };
+}
+
 pub fn httpProxy(self: *const Config) ?[:0]const u8 {
     return switch (self.mode) {
         inline .serve, .fetch, .mcp => |opts| opts.http_proxy,
diff --git a/src/browser/Session.zig b/src/browser/Session.zig
index aa34370d..d044d0ef 100644
--- a/src/browser/Session.zig
+++ b/src/browser/Session.zig
@@ -91,6 +91,15 @@ subframe_loading_enabled: bool = true,
 // session init; the LP.configureLoading CDP method can flip it per-session.
 worker_loading_enabled: bool = true,
 
+// Opt-in fetch of external <link rel=stylesheet> resources. Defaults to
+// false to preserve the current rendering-free fast path: drivers that
+// don't need accurate visibility checks pay nothing. Set from the
+// `--enable-external-stylesheets` CLI flag at session init; the
+// LP.configureLoading CDP method can flip it per-session. Currently
+// unread — the fetch path lands in a follow-up that depends on the
+// network refactor in #2303.
+load_external_stylesheets: bool = false,
+
 pub fn init(self: *Session, browser: *Browser, notification: *Notification) !void {
     const allocator = browser.app.allocator;
     const arena_pool = browser.arena_pool;
@@ -112,6 +121,7 @@ pub fn init(self: *Session, browser: *Browser, notification: *Notification) !voi
         // CLI defaults; LP.configureLoading can flip these per-session.
         .subframe_loading_enabled = !browser.app.config.disableSubframes(),
         .worker_loading_enabled = !browser.app.config.disableWorkers(),
+        .load_external_stylesheets = browser.app.config.enableExternalStylesheets(),
     };
 }
 
diff --git a/src/cdp/domains/lp.zig b/src/cdp/domains/lp.zig
index ffc2cf92..b3b3aec0 100644
--- a/src/cdp/domains/lp.zig
+++ b/src/cdp/domains/lp.zig
@@ -68,11 +68,13 @@ fn configureLoading(cmd: *CDP.Command) !void {
     const params = (try cmd.params(struct {
         subFrame: ?bool = null,
         worker: ?bool = null,
+        externalStylesheets: ?bool = null,
     })) orelse return error.InvalidParams;
 
     const bc = cmd.browser_context orelse return error.NoBrowserContext;
     if (params.subFrame) |v| bc.session.subframe_loading_enabled = v;
     if (params.worker) |v| bc.session.worker_loading_enabled = v;
+    if (params.externalStylesheets) |v| bc.session.load_external_stylesheets = v;
     return cmd.sendResult(null, .{});
 }
 
@@ -688,3 +690,36 @@ test "cdp.lp: configureLoading toggles subFrame and worker independently" {
     try testing.expectEqual(true, bc.session.subframe_loading_enabled);
     try testing.expectEqual(true, bc.session.worker_loading_enabled);
 }
+
+test "cdp.lp: configureLoading toggles externalStylesheets independently" {
+    var ctx = try testing.context();
+    defer ctx.deinit();
+
+    const bc = try ctx.loadBrowserContext(.{});
+    _ = try bc.session.createPage();
+
+    // Default is opt-in: off unless the CLI flag or CDP toggle enables it.
+    try testing.expectEqual(false, bc.session.load_external_stylesheets);
+
+    // Enable via CDP; the other two loading toggles stay at their defaults.
+    try ctx.processMessage(.{
+        .id = 1,
+        .method = "LP.configureLoading",
+        .params = .{ .externalStylesheets = true },
+    });
+    try ctx.expectSentResult(null, .{ .id = 1 });
+    try testing.expectEqual(true, bc.session.load_external_stylesheets);
+    try testing.expectEqual(true, bc.session.subframe_loading_enabled);
+    try testing.expectEqual(true, bc.session.worker_loading_enabled);
+
+    // Flip back off; partial params must not reset the other fields.
+    try ctx.processMessage(.{
+        .id = 2,
+        .method = "LP.configureLoading",
+        .params = .{ .externalStylesheets = false },
+    });
+    try ctx.expectSentResult(null, .{ .id = 2 });
+    try testing.expectEqual(false, bc.session.load_external_stylesheets);
+    try testing.expectEqual(true, bc.session.subframe_loading_enabled);
+    try testing.expectEqual(true, bc.session.worker_loading_enabled);
+}
diff --git a/src/help.zon b/src/help.zon
index 4962f768..aae77fea 100644
--- a/src/help.zon
+++ b/src/help.zon
@@ -152,6 +152,20 @@
     \\                           script fetch is initiated and its scope never runs.
     \\                           Defaults to false.
     \\
+    \\--enable-external-stylesheets
+    \\                           Fetch external <link rel=stylesheet> resources so
+    \\                           their rules contribute to computed styles (and
+    \\                           therefore to visibility checks like display,
+    \\                           visibility, opacity, pointer-events). The default
+    \\                           skips these fetches, which makes utility-class-
+    \\                           heavy sites read as not-visible from the driver
+    \\                           side. Currently a no-op: reserves the surface
+    \\                           (CLI + LP.configureLoading externalStylesheets)
+    \\                           so drivers can adopt it before the fetch path
+    \\                           lands in a follow-up. Drivers can also toggle
+    \\                           this per-session via LP.configureLoading.
+    \\                           Defaults to false.
+    \\
     \\--block-private-networks   Block HTTP requests to private/internal IP
     \\                           addresses after DNS resolution.
     \\                           Defaults to false.

From 3e409d49e9d803dd6ae54aa9b598f4e96048f6c5 Mon Sep 17 00:00:00 2001
From: Navid EMAD <navid.emad@yespark.fr>
Date: Sun, 17 May 2026 16:19:55 +0200
Subject: [PATCH 2/6] Implement external stylesheet fetch + parse
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wires up --enable-external-stylesheets / LP.configureLoading.externalStylesheets
from the prior surface-only commit. When the flag is set, parser- and
JS-created <link rel=stylesheet> elements now synchronously fetch and parse
their href, register a CSSStyleSheet on document.styleSheets, and feed
StyleManager so checkVisibility() reflects external rules. Flag stays
default-off — scrapers that don't need accurate visibility pay nothing.

Frame.loadExternalStylesheet mirrors ScriptManager.addFromElement: same
HttpClient.syncRequest path, same arena ownership, same per-frame
notification + cookie wiring. Body is routed through CSSStyleSheet.replaceSync,
which already parses, populates cssRules, and calls sheetModified() — no
StyleManager changes needed. 2 MiB hard cap on a single sheet body, status
non-2xx and oversize both fire `error` on the link.

Link.Build.created is added so static head <link> elements reach
linkAddedCallback at all — void elements never trigger nodeComplete, which
is why static `<link>` had no observable effect before. Mirrors Image.

HttpClient.Request.ResourceType gains a `.stylesheet` variant so CDP Network
events report the right type; cdp.fetch.zig switches updated.

Refs #2343
---
 src/browser/Frame.zig                         | 89 +++++++++++++++++++
 src/browser/HttpClient.zig                    |  2 +
 src/browser/Session.zig                       |  6 +-
 .../tests/css/external_stylesheet.html        | 85 ++++++++++++++++++
 src/browser/tests/element/html/link.html      | 16 ++++
 src/browser/webapi/element/html/Link.zig      | 23 +++++
 src/cdp/domains/fetch.zig                     |  2 +
 src/testing.zig                               | 40 +++++++++
 8 files changed, 260 insertions(+), 3 deletions(-)
 create mode 100644 src/browser/tests/css/external_stylesheet.html

diff --git a/src/browser/Frame.zig b/src/browser/Frame.zig
index 1f081ded..b23a85aa 100644
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -52,6 +52,7 @@ const AbstractRange = @import("webapi/AbstractRange.zig");
 const MutationObserver = @import("webapi/MutationObserver.zig");
 const IntersectionObserver = @import("webapi/IntersectionObserver.zig");
 const Worker = @import("webapi/Worker.zig");
+const CSSStyleSheet = @import("webapi/css/CSSStyleSheet.zig");
 const CustomElementDefinition = @import("webapi/CustomElementDefinition.zig");
 const PageTransitionEvent = @import("webapi/event/PageTransitionEvent.zig");
 const SubmitEvent = @import("webapi/event/SubmitEvent.zig");
@@ -1679,6 +1680,94 @@ pub fn queueLoad(self: *Frame, html: *Element.Html) !void {
     }
 }
 
+// Hard cap on a single external stylesheet body. CSS rule storage is per-
+// arena so a hostile sheet could otherwise inflate page memory; 2 MiB is
+// well above anything seen on real sites (Tailwind's `preflight + utilities`
+// build is ~400 KiB gzipped, ~3 MiB raw — at which point a site should be
+// splitting by route anyway).
+const MAX_STYLESHEET_BYTES: usize = 2 * 1024 * 1024;
+
+// Synchronously fetch and parse an external `<link rel=stylesheet>`. Opt-in
+// behind `session.load_external_stylesheets` — scrapers/crawlers that don't
+// need accurate visibility checks still get the cheap no-fetch path via
+// `Link.linkAddedCallback`. Mirrors `ScriptManager.addFromElement`'s use of
+// `syncRequest`: stylesheets are render-blocking in real browsers, so a
+// synchronous fetch from inside the parser callback matches expected
+// document-load ordering without manual `_pending_loads` bookkeeping.
+pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
+    if (self.isGoingAway()) return;
+
+    const element = link.asElement();
+    const href = element.getAttributeSafe(comptime .wrap("href")) orelse return;
+    if (href.len == 0) return;
+
+    const arena = try self.getArena(.medium, "Frame.loadExternalStylesheet");
+    defer self._session.releaseArena(arena);
+
+    const resolved = URL.resolve(arena, self.base(), href, .{ .encoding = self.charset }) catch |err| {
+        log.warn(.browser, "external stylesheet resolve", .{ .err = err, .href = href });
+        try self.fireLinkEvent(link, comptime .wrap("error"));
+        return;
+    };
+
+    const session = self._session;
+    // HttpClient takes ownership of `headers` via the request struct (see
+    // HttpClient.zig:411 — must NOT pair with a local `defer deinit`).
+    var headers = try session.browser.http_client.newHeaders();
+    try headers.add("Accept: text/css,*/*;q=0.1");
+
+    var response = session.browser.http_client.syncRequest(arena, .{
+        .url = resolved,
+        .method = .GET,
+        .frame_id = self._frame_id,
+        .loader_id = self._loader_id,
+        .headers = headers,
+        .cookie_jar = &session.cookie_jar,
+        .cookie_origin = self.url,
+        .resource_type = .stylesheet,
+        .notification = session.notification,
+    }) catch |err| {
+        log.warn(.browser, "external stylesheet fetch", .{ .err = err, .url = resolved });
+        try self.fireLinkEvent(link, comptime .wrap("error"));
+        return;
+    };
+    defer response.deinit(arena);
+
+    if (response.status < 200 or response.status >= 300) {
+        log.info(.browser, "external stylesheet status", .{ .status = response.status, .url = resolved });
+        try self.fireLinkEvent(link, comptime .wrap("error"));
+        return;
+    }
+
+    if (response.body.items.len > MAX_STYLESHEET_BYTES) {
+        log.warn(.browser, "external stylesheet too large", .{
+            .bytes = response.body.items.len,
+            .max = MAX_STYLESHEET_BYTES,
+            .url = resolved,
+        });
+        try self.fireLinkEvent(link, comptime .wrap("error"));
+        return;
+    }
+
+    const sheet = try CSSStyleSheet.initWithOwner(element, self);
+    sheet._href = try self.arena.dupe(u8, resolved);
+    sheet.replaceSync(response.body.items, self) catch |err| {
+        log.warn(.browser, "external stylesheet parse", .{ .err = err, .url = resolved });
+        try self.fireLinkEvent(link, comptime .wrap("error"));
+        return;
+    };
+
+    const sheets = try self.document.getStyleSheets(self);
+    try sheets.add(sheet, self);
+
+    try self.fireLinkEvent(link, comptime .wrap("load"));
+}
+
+fn fireLinkEvent(self: *Frame, link: *Element.Html.Link, name: String) !void {
+    const event = try Event.initTrusted(name, .{}, self._page);
+    try self._event_manager.dispatch(link._proto.asEventTarget(), event);
+}
+
 fn dispatchLoad(self: *Frame) !void {
     const has_dom_load_listener = self._event_manager.has_dom_load_listener;
 
diff --git a/src/browser/HttpClient.zig b/src/browser/HttpClient.zig
index 6f2d19b7..04b5661a 100644
--- a/src/browser/HttpClient.zig
+++ b/src/browser/HttpClient.zig
@@ -910,6 +910,7 @@ pub const Request = struct {
         xhr,
         script,
         fetch,
+        stylesheet,
 
         // Allowed Values: Document, Stylesheet, Image, Media, Font, Script,
         // TextTrack, XHR, Fetch, Prefetch, EventSource, WebSocket, Manifest,
@@ -921,6 +922,7 @@ pub const Request = struct {
                 .xhr => "XHR",
                 .script => "Script",
                 .fetch => "Fetch",
+                .stylesheet => "Stylesheet",
             };
         }
     };
diff --git a/src/browser/Session.zig b/src/browser/Session.zig
index d044d0ef..70ec5d3e 100644
--- a/src/browser/Session.zig
+++ b/src/browser/Session.zig
@@ -95,9 +95,9 @@ worker_loading_enabled: bool = true,
 // false to preserve the current rendering-free fast path: drivers that
 // don't need accurate visibility checks pay nothing. Set from the
 // `--enable-external-stylesheets` CLI flag at session init; the
-// LP.configureLoading CDP method can flip it per-session. Currently
-// unread — the fetch path lands in a follow-up that depends on the
-// network refactor in #2303.
+// LP.configureLoading CDP method can flip it per-session. When true,
+// `Link.linkAddedCallback` routes to `Frame.loadExternalStylesheet`
+// (synchronous fetch + parse + register on `document.styleSheets`).
 load_external_stylesheets: bool = false,
 
 pub fn init(self: *Session, browser: *Browser, notification: *Notification) !void {
diff --git a/src/browser/tests/css/external_stylesheet.html b/src/browser/tests/css/external_stylesheet.html
new file mode 100644
index 00000000..cbd6df0d
--- /dev/null
+++ b/src/browser/tests/css/external_stylesheet.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<head>
+  <script src="../testing.js"></script>
+  <link id="ext" rel="stylesheet" href="/styles/visibility.css">
+</head>
+<body>
+  <div id="visible">always visible</div>
+  <div id="hidden" class="ext-hide">hidden by external rule</div>
+
+  <script id="ext_stylesheet_registered">
+  {
+    // The parser-synchronous fetch in Frame.loadExternalStylesheet runs
+    // before this script executes, so document.styleSheets reflects the
+    // fetched sheet by the time we look.
+    testing.expectEqual(1, document.styleSheets.length);
+
+    const sheet = document.styleSheets[0];
+    testing.expectEqual(testing.ORIGIN + '/styles/visibility.css', sheet.href);
+    testing.expectEqual(1, sheet.cssRules.length);
+    testing.expectEqual('.ext-hide', sheet.cssRules[0].selectorText);
+  }
+  </script>
+
+  <script id="ext_stylesheet_cascade">
+  {
+    // External rule must reach StyleManager: a `.ext-hide` element should
+    // report checkVisibility() === false, exactly as if the rule were
+    // declared inline in a `<style>` block.
+    testing.expectTrue(document.getElementById('visible').checkVisibility());
+    testing.expectFalse(document.getElementById('hidden').checkVisibility());
+  }
+  </script>
+
+  <script id="ext_stylesheet_dynamic_load_event">
+  {
+    // Dynamically-inserted <link> fires `load` after the fetch completes.
+    const link = document.createElement('link');
+    link.rel = 'stylesheet';
+    link.href = '/styles/visibility.css';
+    testing.async(async () => {
+      const fired = await new Promise(resolve => {
+        link.addEventListener('load', () => resolve(true));
+        link.addEventListener('error', () => resolve(false));
+        document.head.appendChild(link);
+      });
+      testing.expectEqual(true, fired);
+    });
+    testing.expectEqual(true, true);
+  }
+  </script>
+
+  <script id="ext_stylesheet_404_fires_error">
+  {
+    const link = document.createElement('link');
+    link.rel = 'stylesheet';
+    link.href = '/styles/404.css';
+    testing.async(async () => {
+      const evt = await new Promise(resolve => {
+        link.addEventListener('load', () => resolve('load'));
+        link.addEventListener('error', () => resolve('error'));
+        document.head.appendChild(link);
+      });
+      testing.expectEqual('error', evt);
+    });
+    testing.expectEqual(true, true);
+  }
+  </script>
+
+  <script id="ext_stylesheet_oversize_fires_error">
+  {
+    const link = document.createElement('link');
+    link.rel = 'stylesheet';
+    link.href = '/styles/oversize.css';
+    testing.async(async () => {
+      const evt = await new Promise(resolve => {
+        link.addEventListener('load', () => resolve('load'));
+        link.addEventListener('error', () => resolve('error'));
+        document.head.appendChild(link);
+      });
+      testing.expectEqual('error', evt);
+    });
+    testing.expectEqual(true, true);
+  }
+  </script>
+</body>
diff --git a/src/browser/tests/element/html/link.html b/src/browser/tests/element/html/link.html
index 9f4dd6a8..d3f2faa0 100644
--- a/src/browser/tests/element/html/link.html
+++ b/src/browser/tests/element/html/link.html
@@ -137,3 +137,19 @@
   });
 }
 </script>
+
+<script id="ext_stylesheet_disabled_default">
+{
+  // Flag defaults off — a <link rel=stylesheet> must NOT register a sheet
+  // on document.styleSheets and must NOT touch the network. The synthetic
+  // load event still fires (asserted by other tests above).
+  const before = document.styleSheets.length;
+  const link = document.createElement('link');
+  link.rel = 'stylesheet';
+  link.href = '/styles/visibility.css';
+  document.head.appendChild(link);
+  testing.onload(() => {
+    testing.expectEqual(before, document.styleSheets.length);
+  });
+}
+</script>
diff --git a/src/browser/webapi/element/html/Link.zig b/src/browser/webapi/element/html/Link.zig
index 1b83dacf..2d5bfef6 100644
--- a/src/browser/webapi/element/html/Link.zig
+++ b/src/browser/webapi/element/html/Link.zig
@@ -114,6 +114,14 @@ pub fn linkAddedCallback(self: *Link, frame: *Frame) !void {
         return;
     }
 
+    // Opt-in fetch for `rel="stylesheet"` — drives `frame.loadExternalStylesheet`,
+    // which fires the load/error event itself. Other rels (preload,
+    // modulepreload) and the disabled case keep the rendering-free stub that
+    // fires a synthetic `load` event without touching the network.
+    if (std.mem.eql(u8, rel, "stylesheet") and frame._session.load_external_stylesheets) {
+        return frame.loadExternalStylesheet(self);
+    }
+
     try frame.queueLoad(self._proto);
 }
 
@@ -143,7 +151,22 @@ pub const JsApi = struct {
     }
 };
 
+// Parser-created <link> elements are void (no closing tag) so they never
+// reach `Frame.nodeComplete`. Mirror `Image.Build.created` so static head
+// links in HTML go through `linkAddedCallback` at element-create time,
+// with attributes already populated by `populateElementAttributes`.
+pub const Build = struct {
+    pub fn created(node: *Node, frame: *Frame) !void {
+        const self = node.as(Link);
+        return self.linkAddedCallback(frame);
+    }
+};
+
 const testing = @import("../../../../testing.zig");
 test "WebApi: HTML.Link" {
     try testing.htmlRunner("element/html/link.html", .{});
 }
+
+test "WebApi: HTML.Link external stylesheet" {
+    try testing.htmlRunner("css/external_stylesheet.html", .{ .load_external_stylesheets = true });
+}
diff --git a/src/cdp/domains/fetch.zig b/src/cdp/domains/fetch.zig
index 64a1ec7e..b2831abe 100644
--- a/src/cdp/domains/fetch.zig
+++ b/src/cdp/domains/fetch.zig
@@ -209,6 +209,7 @@ pub fn requestIntercept(bc: *CDP.BrowserContext, intercept: *const Notification.
             .xhr => "XHR",
             .document => "Document",
             .fetch => "Fetch",
+            .stylesheet => "Stylesheet",
         },
         .networkId = &id.toRequestId(transfer), // matches the Network REQ-ID
     }, .{ .session_id = session_id });
@@ -453,6 +454,7 @@ pub fn requestAuthRequired(bc: *CDP.BrowserContext, intercept: *const Notificati
             .xhr => "XHR",
             .document => "Document",
             .fetch => "Fetch",
+            .stylesheet => "Stylesheet",
         },
         .authChallenge = .{
             .origin = "", // TODO get origin, could be the proxy address for example.
diff --git a/src/testing.zig b/src/testing.zig
index 3897a06a..a9ecff71 100644
--- a/src/testing.zig
+++ b/src/testing.zig
@@ -341,6 +341,7 @@ const WEB_API_TEST_ROOT = "src/browser/tests/";
 const HtmlRunnerOpts = struct {
     timeout_ms: u32 = 2000,
     inject_script: ?[]const u8 = null,
+    load_external_stylesheets: bool = false,
 };
 
 pub fn htmlRunner(comptime path: []const u8, opts: HtmlRunnerOpts) !void {
@@ -353,6 +354,9 @@ pub fn htmlRunner(comptime path: []const u8, opts: HtmlRunnerOpts) !void {
     }
     defer test_session.inject_scripts = &.{};
 
+    test_session.load_external_stylesheets = opts.load_external_stylesheets;
+    defer test_session.load_external_stylesheets = false;
+
     const root = try std.fs.path.joinZ(arena_allocator, &.{ WEB_API_TEST_ROOT, path });
     const stat = std.fs.cwd().statFile(root) catch |err| {
         std.debug.print("Failed to stat file: '{s}'", .{root});
@@ -678,6 +682,42 @@ fn testHTTPHandler(req: *std.http.Server.Request) !void {
         });
     }
 
+    if (std.mem.eql(u8, path, "/styles/visibility.css")) {
+        // Used by css/external_stylesheet.html — drives the visibility
+        // cascade through StyleManager via Frame.loadExternalStylesheet
+        // so a `.ext-hide` element is observable to checkVisibility().
+        return req.respond(".ext-hide { display: none; }", .{
+            .extra_headers = &.{
+                .{ .name = "Content-Type", .value = "text/css" },
+            },
+        });
+    }
+
+    if (std.mem.eql(u8, path, "/styles/404.css")) {
+        return req.respond("/* unused */", .{
+            .status = .not_found,
+            .extra_headers = &.{
+                .{ .name = "Content-Type", .value = "text/css" },
+            },
+        });
+    }
+
+    if (std.mem.eql(u8, path, "/styles/oversize.css")) {
+        // Body that exceeds Frame.MAX_STYLESHEET_BYTES (2 MiB) — written as a
+        // long sequence of valid declarations so the response itself parses
+        // fine and the error path is exercised by the size cap, not by a
+        // CSS parse failure.
+        const chunk = ".pad { color: #abcdef; } "; // 25 bytes
+        const repeats = (2 * 1024 * 1024 / chunk.len) + 1024;
+        var body = try std.ArrayList(u8).initCapacity(arena_allocator, chunk.len * repeats);
+        for (0..repeats) |_| body.appendSliceAssumeCapacity(chunk);
+        return req.respond(body.items, .{
+            .extra_headers = &.{
+                .{ .name = "Content-Type", .value = "text/css" },
+            },
+        });
+    }
+
     if (std.mem.eql(u8, path, "/echo_referer")) {
         // Echo the request's Referer header back as HTML so tests can assert
         // what Referer the navigation sent. Used by the cross-page Referer test.

From 4592812027095946c16036241bed82c9897f646f Mon Sep 17 00:00:00 2001
From: Navid EMAD <navid.emad@yespark.fr>
Date: Sun, 17 May 2026 16:32:53 +0200
Subject: [PATCH 3/6] Reuse cached sheet on link href change
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Caught in code review: `loadExternalStylesheet` created a fresh
`CSSStyleSheet` and appended to `document.styleSheets` on every call, so
mutating `link.href` on a connected stylesheet element accumulated stale
sheets — the old rules kept cascading because the previous sheet was
never removed.

Cache the sheet on `Link._sheet` (mirroring `Style._sheet`) and reuse it
via `replaceSync` on re-fetch. First load creates + registers as before;
subsequent loads swap content in place, keeping `document.styleSheets`
length stable.

On fetch failure the cached sheet is untouched — matches browser
behavior where a broken href doesn't invalidate the previously loaded
sheet until the link itself is removed.

Refs #2343
---
 src/browser/Frame.zig                         | 16 ++++++--
 .../tests/css/external_stylesheet.html        | 38 +++++++++++++++++++
 src/browser/webapi/element/html/Link.zig      |  6 +++
 src/testing.zig                               | 11 ++++++
 4 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/src/browser/Frame.zig b/src/browser/Frame.zig
index b23a85aa..d424c4bc 100644
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -1749,7 +1749,18 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
         return;
     }
 
-    const sheet = try CSSStyleSheet.initWithOwner(element, self);
+    // Reuse the cached sheet on re-fetch (href mutation on a connected
+    // link) so `document.styleSheets` keeps a single entry per <link>
+    // instead of accumulating one per href change. On first load, create
+    // and register; on subsequent loads, replace content in place.
+    const sheet = link._sheet orelse blk: {
+        const new_sheet = try CSSStyleSheet.initWithOwner(element, self);
+        link._sheet = new_sheet;
+        const sheets = try self.document.getStyleSheets(self);
+        try sheets.add(new_sheet, self);
+        break :blk new_sheet;
+    };
+
     sheet._href = try self.arena.dupe(u8, resolved);
     sheet.replaceSync(response.body.items, self) catch |err| {
         log.warn(.browser, "external stylesheet parse", .{ .err = err, .url = resolved });
@@ -1757,9 +1768,6 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
         return;
     };
 
-    const sheets = try self.document.getStyleSheets(self);
-    try sheets.add(sheet, self);
-
     try self.fireLinkEvent(link, comptime .wrap("load"));
 }
 
diff --git a/src/browser/tests/css/external_stylesheet.html b/src/browser/tests/css/external_stylesheet.html
index cbd6df0d..5ec76a5b 100644
--- a/src/browser/tests/css/external_stylesheet.html
+++ b/src/browser/tests/css/external_stylesheet.html
@@ -82,4 +82,42 @@
     testing.expectEqual(true, true);
   }
   </script>
+
+  <script id="ext_stylesheet_href_change_replaces">
+  {
+    // Mutating link.href on a connected stylesheet link must REPLACE the
+    // cached sheet's rules, not append a second entry to
+    // document.styleSheets. Regression test for the stale-sheet
+    // accumulation bug caught in code review.
+    const link = document.createElement('link');
+    link.rel = 'stylesheet';
+    link.href = '/styles/visibility.css';
+    testing.async(async () => {
+      const baseline = document.styleSheets.length;
+
+      await new Promise(resolve => {
+        link.addEventListener('load', () => resolve(), { once: true });
+        document.head.appendChild(link);
+      });
+      const afterFirst = document.styleSheets.length;
+      testing.expectEqual(baseline + 1, afterFirst);
+
+      const second = await new Promise(resolve => {
+        link.addEventListener('load', () => resolve('load'), { once: true });
+        link.addEventListener('error', () => resolve('error'), { once: true });
+        link.href = '/styles/visibility2.css';
+      });
+      testing.expectEqual('load', second);
+      testing.expectEqual(afterFirst, document.styleSheets.length);
+
+      // New rules must be in effect after the swap. The reused sheet is
+      // the last registered one (the static head link registered first).
+      const sheet = document.styleSheets[afterFirst - 1];
+      testing.expectEqual(testing.ORIGIN + '/styles/visibility2.css', sheet.href);
+      testing.expectEqual(1, sheet.cssRules.length);
+      testing.expectEqual('.ext-hide-2', sheet.cssRules[0].selectorText);
+    });
+    testing.expectEqual(true, true);
+  }
+  </script>
 </body>
diff --git a/src/browser/webapi/element/html/Link.zig b/src/browser/webapi/element/html/Link.zig
index 2d5bfef6..2aa0e4c2 100644
--- a/src/browser/webapi/element/html/Link.zig
+++ b/src/browser/webapi/element/html/Link.zig
@@ -26,6 +26,12 @@ const HtmlElement = @import("../Html.zig");
 
 const Link = @This();
 _proto: *HtmlElement,
+// Cached CSSStyleSheet for an external `rel=stylesheet` once
+// `Frame.loadExternalStylesheet` has registered it. Re-fetches (href
+// mutated on a connected link) reuse this sheet via `replaceSync` so the
+// old rules are dropped instead of accumulating in `document.styleSheets`.
+// Mirrors `Style._sheet`.
+_sheet: ?*@import("../../css/CSSStyleSheet.zig") = null,
 
 pub fn asElement(self: *Link) *Element {
     return self._proto._proto;
diff --git a/src/testing.zig b/src/testing.zig
index a9ecff71..62b1c67d 100644
--- a/src/testing.zig
+++ b/src/testing.zig
@@ -693,6 +693,17 @@ fn testHTTPHandler(req: *std.http.Server.Request) !void {
         });
     }
 
+    if (std.mem.eql(u8, path, "/styles/visibility2.css")) {
+        // Second visibility sheet used by the href-change regression test:
+        // mutating link.href must replace the cached sheet's rules in place,
+        // not append a new entry to document.styleSheets.
+        return req.respond(".ext-hide-2 { display: none; }", .{
+            .extra_headers = &.{
+                .{ .name = "Content-Type", .value = "text/css" },
+            },
+        });
+    }
+
     if (std.mem.eql(u8, path, "/styles/404.css")) {
         return req.respond("/* unused */", .{
             .status = .not_found,

From f05efd6719bacff379204b485d160c544417d0f9 Mon Sep 17 00:00:00 2001
From: Navid EMAD <navid.emad@yespark.fr>
Date: Sun, 17 May 2026 16:50:29 +0200
Subject: [PATCH 4/6] Harden external stylesheet path per code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses 8 findings from ultrareview on the external stylesheet feature:

* UAF on CDP teardown during syncRequest. `loadExternalStylesheet`
  pumps the CDP socket inline, so a `Target.closeTarget` arriving
  mid-fetch could drive `Session.removePage` and free the frame
  while we still held `self`. Set `_script_manager.base.is_evaluating`
  around the call — the same bracket every other syncRequest caller
  uses, which is what `Session.removePage`'s reentrancy guard checks.

* Disconnect leak. `link.remove()` left the sheet on
  `document.styleSheets` and in the cascade forever; the disconnect
  walker had a `<style>` branch but no `<link>` mirror. Common SPA
  theme-switch pattern (append new sheet, remove old) was broken.
  Added the parallel `else if` branch.

* Fragment-parsed links. `Build.created` fires for parser-instantiated
  elements before attachment, including innerHTML / outerHTML /
  insertAdjacentHTML / Range.createContextualFragment / <template>
  content. Without a guard those fetched against the live document
  and registered phantom sheets even when the fragment was never
  attached. Added `_parse_mode == .fragment` early-return mirroring
  the existing `nodeIsReady` short-circuit. DOMParser is a separate
  case (parses with `.document` into a different Document) and is
  left as a known follow-up.

* Missing Referer. Every other resource-fetch path
  (ScriptManagerBase, XHR, Fetch, WorkerGlobalScope) routes through
  `Frame.headersForRequest` to attach the cached `Referer` header.
  Many CDNs gate stylesheet delivery on Referer; without it requests
  returned 403/302 and the CSS silently failed. Added the call.

* Header OOM leak. `headers.add` between `newHeaders()` and
  `syncRequest` (which takes ownership) leaked the initial 3-entry
  slist on OOM. Added `errdefer headers.deinit()` mirroring
  RobotsLayer.zig:121-122.

* `_href` mutated before parse could fail. On parse error the cached
  sheet was left with the new URL but old rules dropped — violated
  the "previous sheet intact on failure" invariant the PR description
  promises. Moved the `_href` assignment to after `replaceSync`
  succeeds. Full atomicity would require a scratch-list pattern in
  `CSSStyleSheet.replaceSync` itself; documented as a known limit.

* `_sheet` cached before registration could OOM. If `sheets.add`
  failed, `link._sheet` pointed at an unregistered sheet and every
  future re-fetch short-circuited via the `orelse` branch, leaving
  the sheet permanently unreachable through `document.styleSheets`.
  Assign `link._sheet` only after `sheets.add` succeeds.

* Stale CLI help text claimed `--enable-external-stylesheets` was a
  no-op surface. Removed the obsolete sentence.

New regression tests cover fragment-parse skip and disconnect
removal+re-add. Full suite 694/694 pass.

Refs #2343
---
 src/browser/Frame.zig                         | 61 +++++++++++++++++--
 .../tests/css/external_stylesheet.html        | 56 +++++++++++++++++
 src/help.zon                                  |  7 +--
 3 files changed, 115 insertions(+), 9 deletions(-)

diff --git a/src/browser/Frame.zig b/src/browser/Frame.zig
index d424c4bc..39b21e6a 100644
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -1697,6 +1697,15 @@ const MAX_STYLESHEET_BYTES: usize = 2 * 1024 * 1024;
 pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
     if (self.isGoingAway()) return;
 
+    // Fragment-parsed links (innerHTML / outerHTML / DOMParser /
+    // Range.createContextualFragment / <template>.content) reach
+    // `Link.Build.created` like any other parser-instantiated element, but
+    // their owner subtree may never be attached to the live document. A
+    // network fetch + sheet registration against `self.document` would be
+    // a visible side effect of merely parsing markup. Mirrors the
+    // `nodeIsReady` short-circuit at the existing parser-path guard.
+    if (self._parse_mode == .fragment) return;
+
     const element = link.asElement();
     const href = element.getAttributeSafe(comptime .wrap("href")) orelse return;
     if (href.len == 0) return;
@@ -1711,10 +1720,28 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
     };
 
     const session = self._session;
-    // HttpClient takes ownership of `headers` via the request struct (see
-    // HttpClient.zig:411 — must NOT pair with a local `defer deinit`).
+    // HttpClient takes ownership of `headers` via the request struct on
+    // successful `syncRequest` (see HttpClient.zig:411). Until ownership
+    // transfers, `errdefer` covers the OOM window in `headers.add` /
+    // `headersForRequest` so the initial `newHeaders()` slist doesn't
+    // leak. Once `syncRequest` is entered the request struct handles
+    // cleanup — do NOT add a plain `defer deinit` here.
     var headers = try session.browser.http_client.newHeaders();
+    errdefer headers.deinit();
     try headers.add("Accept: text/css,*/*;q=0.1");
+    try self.headersForRequest(&headers);
+
+    // Set the script-manager `is_evaluating` flag for the same reason
+    // `ScriptManager.addFromElement` does: `syncRequest` pumps the CDP
+    // socket inline, so a `Target.closeTarget` / `Page.close` arriving
+    // mid-fetch would otherwise drive `Session.removePage` while this
+    // function still holds pointers to `self`. The check in
+    // `Session.removePage` (Session.zig:253) consults
+    // `frame.anyScriptEvaluating()`, which only sees this flag.
+    const sm = &self._script_manager.base;
+    const was_evaluating = sm.is_evaluating;
+    sm.is_evaluating = true;
+    defer sm.is_evaluating = was_evaluating;
 
     var response = session.browser.http_client.syncRequest(arena, .{
         .url = resolved,
@@ -1753,20 +1780,32 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
     // link) so `document.styleSheets` keeps a single entry per <link>
     // instead of accumulating one per href change. On first load, create
     // and register; on subsequent loads, replace content in place.
+    //
+    // First-load creation assigns `link._sheet` AFTER `sheets.add`
+    // succeeds so an OOM during registration doesn't cache an unregistered
+    // sheet (which would short-circuit every future re-fetch via the
+    // `orelse` branch, leaving the sheet permanently unreachable through
+    // `document.styleSheets`).
     const sheet = link._sheet orelse blk: {
         const new_sheet = try CSSStyleSheet.initWithOwner(element, self);
-        link._sheet = new_sheet;
         const sheets = try self.document.getStyleSheets(self);
         try sheets.add(new_sheet, self);
+        link._sheet = new_sheet;
         break :blk new_sheet;
     };
 
-    sheet._href = try self.arena.dupe(u8, resolved);
+    // Parse first, only swap `_href` on success. `replaceSync` itself is
+    // not atomic (clears rules before the insert loop), so a mid-parse
+    // OOM still drops the old rules — full atomicity would require a
+    // scratch-list pattern in `CSSStyleSheet.replaceSync`. Keeping
+    // `_href` consistent with what the sheet actually contains is the
+    // minimum.
     sheet.replaceSync(response.body.items, self) catch |err| {
         log.warn(.browser, "external stylesheet parse", .{ .err = err, .url = resolved });
         try self.fireLinkEvent(link, comptime .wrap("error"));
         return;
     };
+    sheet._href = try self.arena.dupe(u8, resolved);
 
     try self.fireLinkEvent(link, comptime .wrap("load"));
 }
@@ -3109,6 +3148,20 @@ pub fn removeNode(self: *Frame, parent: *Node, child: *Node, opts: RemoveNodeOpt
                 style._sheet = null;
             }
             self._style_manager.sheetModified();
+        } else if (el.is(Element.Html.Link)) |link| {
+            // External stylesheet links registered via Frame.loadExternalStylesheet
+            // must be symmetrically deregistered on disconnect, or
+            // `document.styleSheets` accumulates phantom entries and the
+            // visibility cascade keeps honoring rules from removed links —
+            // exactly the SPA theme-switch pattern (append new sheet,
+            // remove old) the feature exists to serve.
+            if (link._sheet) |sheet| {
+                if (self.document._style_sheets) |sheets| {
+                    sheets.remove(sheet);
+                }
+                link._sheet = null;
+                self._style_manager.sheetModified();
+            }
         }
     }
 }
diff --git a/src/browser/tests/css/external_stylesheet.html b/src/browser/tests/css/external_stylesheet.html
index 5ec76a5b..10b38042 100644
--- a/src/browser/tests/css/external_stylesheet.html
+++ b/src/browser/tests/css/external_stylesheet.html
@@ -120,4 +120,60 @@
     testing.expectEqual(true, true);
   }
   </script>
+
+  <script id="ext_stylesheet_fragment_parse_skipped">
+  {
+    // Stylesheet links parsed via innerHTML / outerHTML /
+    // insertAdjacentHTML / Range.createContextualFragment / <template>
+    // content must NOT trigger a network fetch or register a sheet on
+    // the live document — the owning subtree may never be attached.
+    // Regression test for the fragment-mode bypass caught in code review.
+    //
+    // Assertion is synchronous on purpose: parseHtmlAsChildren runs
+    // inline, so any unintended sheet registration would be visible
+    // immediately. Deferring to testing.onload would race against the
+    // async tests above that legitimately add sheets.
+    //
+    // DOMParser.parseFromString is a separate case (parses with
+    // `_parse_mode = .document` into a *different* Document) and is not
+    // covered by the same gate — tracked as a follow-up.
+    const before = document.styleSheets.length;
+    const div = document.createElement('div');
+    div.innerHTML = '<link rel="stylesheet" href="/styles/visibility.css">';
+    testing.expectEqual(before, document.styleSheets.length);
+  }
+  </script>
+
+  <script id="ext_stylesheet_disconnect_removes">
+  {
+    // Removing a connected stylesheet link must drop its sheet from
+    // document.styleSheets. Without symmetric deregistration the SPA
+    // theme-switch pattern (append new, remove old) would accumulate
+    // phantom entries and stale cascade rules.
+    const link = document.createElement('link');
+    link.rel = 'stylesheet';
+    link.href = '/styles/visibility2.css';
+    testing.async(async () => {
+      const baseline = document.styleSheets.length;
+
+      await new Promise(resolve => {
+        link.addEventListener('load', () => resolve(), { once: true });
+        document.head.appendChild(link);
+      });
+      testing.expectEqual(baseline + 1, document.styleSheets.length);
+
+      link.remove();
+      testing.expectEqual(baseline, document.styleSheets.length);
+
+      // Re-appending must register fresh — the disconnect cleanup
+      // cleared link._sheet so the cached short-circuit doesn't apply.
+      await new Promise(resolve => {
+        link.addEventListener('load', () => resolve(), { once: true });
+        document.head.appendChild(link);
+      });
+      testing.expectEqual(baseline + 1, document.styleSheets.length);
+    });
+    testing.expectEqual(true, true);
+  }
+  </script>
 </body>
diff --git a/src/help.zon b/src/help.zon
index aae77fea..d8354d24 100644
--- a/src/help.zon
+++ b/src/help.zon
@@ -159,11 +159,8 @@
     \\                           visibility, opacity, pointer-events). The default
     \\                           skips these fetches, which makes utility-class-
     \\                           heavy sites read as not-visible from the driver
-    \\                           side. Currently a no-op: reserves the surface
-    \\                           (CLI + LP.configureLoading externalStylesheets)
-    \\                           so drivers can adopt it before the fetch path
-    \\                           lands in a follow-up. Drivers can also toggle
-    \\                           this per-session via LP.configureLoading.
+    \\                           side. Drivers can also toggle this per-session
+    \\                           via LP.configureLoading.
     \\                           Defaults to false.
     \\
     \\--block-private-networks   Block HTTP requests to private/internal IP

From 32dbd716b1f00dfa47ab57d3e3fc9a67f41efbc3 Mon Sep 17 00:00:00 2001
From: Navid EMAD <navid.emad@yespark.fr>
Date: Sun, 17 May 2026 16:57:02 +0200
Subject: [PATCH 5/6] Apply fragment parse-mode to DOMParser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the DOMParser gap left as a follow-up in the previous review-fix
commit. DOMParser.parseFromString built its target Document via the
frame's parser without touching `_parse_mode`, so `Build.created` →
`linkAddedCallback` → `loadExternalStylesheet` saw `_parse_mode ==
.document` and fetched/registered sheets on the LIVE frame document for
every stylesheet link in the parsed string.

Bracket both the text/html and XML branches with the same fragment
parse-mode `parseHtmlAsChildren` uses. The existing gate in
`loadExternalStylesheet` already short-circuits on .fragment, so no
change is needed there. Side benefits: parser-emitted scripts in
DOMParser content stop reaching `scriptAddedCallback` against the live
frame, default-script injection skips DOMParser content, and mutation
observers on the live document no longer fan out for parsed nodes —
all of which match what DOMParser should do per spec.

Regression test extended to cover the DOMParser path alongside the
existing innerHTML case.

Refs #2343
---
 .../tests/css/external_stylesheet.html        | 28 +++++++++++--------
 src/browser/webapi/DOMParser.zig              | 11 ++++++++
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/src/browser/tests/css/external_stylesheet.html b/src/browser/tests/css/external_stylesheet.html
index 10b38042..a98520ad 100644
--- a/src/browser/tests/css/external_stylesheet.html
+++ b/src/browser/tests/css/external_stylesheet.html
@@ -125,22 +125,28 @@
   {
     // Stylesheet links parsed via innerHTML / outerHTML /
     // insertAdjacentHTML / Range.createContextualFragment / <template>
-    // content must NOT trigger a network fetch or register a sheet on
-    // the live document — the owning subtree may never be attached.
-    // Regression test for the fragment-mode bypass caught in code review.
+    // content / DOMParser.parseFromString must NOT trigger a network
+    // fetch or register a sheet on the live document — the owning
+    // subtree may never be attached or belongs to a different Document.
     //
-    // Assertion is synchronous on purpose: parseHtmlAsChildren runs
-    // inline, so any unintended sheet registration would be visible
-    // immediately. Deferring to testing.onload would race against the
-    // async tests above that legitimately add sheets.
-    //
-    // DOMParser.parseFromString is a separate case (parses with
-    // `_parse_mode = .document` into a *different* Document) and is not
-    // covered by the same gate — tracked as a follow-up.
+    // Assertion is synchronous on purpose: both parse paths run inline,
+    // so any unintended sheet registration would be visible immediately.
+    // Deferring to testing.onload would race against the async tests
+    // above that legitimately add sheets.
     const before = document.styleSheets.length;
+
     const div = document.createElement('div');
     div.innerHTML = '<link rel="stylesheet" href="/styles/visibility.css">';
     testing.expectEqual(before, document.styleSheets.length);
+
+    const parsed = new DOMParser().parseFromString(
+      '<html><head><link rel="stylesheet" href="/styles/visibility2.css"></head><body></body></html>',
+      'text/html'
+    );
+    // Parsed link exists in the new document...
+    testing.expectEqual(1, parsed.querySelectorAll('link').length);
+    // ...but no sheet on the live document.
+    testing.expectEqual(before, document.styleSheets.length);
   }
   </script>
 
diff --git a/src/browser/webapi/DOMParser.zig b/src/browser/webapi/DOMParser.zig
index f06027c5..d0356803 100644
--- a/src/browser/webapi/DOMParser.zig
+++ b/src/browser/webapi/DOMParser.zig
@@ -53,6 +53,17 @@ pub fn parseFromString(
     const arena = try frame.getArena(.medium, "DOMParser.parseFromString");
     defer frame.releaseArena(arena);
 
+    // DOMParser builds a detached Document. Borrow the same fragment
+    // parse-mode that `parseHtmlAsChildren` uses so frame-side hooks
+    // triggered from `Build.created` / `nodeIsReady` (external stylesheet
+    // fetches, script execution, mutation-observer fan-out, default-script
+    // injection) treat the parsed nodes as detached and skip
+    // side effects on the live document. The frame's `_parse_mode` is
+    // restored on exit.
+    const previous_parse_mode = frame._parse_mode;
+    frame._parse_mode = .fragment;
+    defer frame._parse_mode = previous_parse_mode;
+
     return switch (target_mime) {
         .@"text/html" => {
             // Create a new HTMLDocument

From 2fd2be0e515a46901af9fa091e3d78f8d489cdf1 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Wed, 20 May 2026 10:31:28 +0800
Subject: [PATCH 6/6] Small largely stylistic tweaks

Trim down a lot of the comments. Inline remarks in some cases rather than a
large function header.

Removing the `errdefer headers.deinit();` is unfortunate but currently
necessary to avoid a potential double-free if the request gets far enough that
http_client frees it and still returns an error. This is a known issue that
needs to be fixed separately and that impacts multiple call-sites. My "fix"
introduces a possible (very small) memory leak versus a possible crash.
---
 src/browser/Frame.zig                    | 89 +++++++++++-------------
 src/browser/webapi/element/html/Link.zig |  6 +-
 src/help.zon                             |  6 +-
 3 files changed, 44 insertions(+), 57 deletions(-)

diff --git a/src/browser/Frame.zig b/src/browser/Frame.zig
index 39b21e6a..f037dfb4 100644
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -1687,47 +1687,41 @@ pub fn queueLoad(self: *Frame, html: *Element.Html) !void {
 // splitting by route anyway).
 const MAX_STYLESHEET_BYTES: usize = 2 * 1024 * 1024;
 
-// Synchronously fetch and parse an external `<link rel=stylesheet>`. Opt-in
-// behind `session.load_external_stylesheets` — scrapers/crawlers that don't
-// need accurate visibility checks still get the cheap no-fetch path via
-// `Link.linkAddedCallback`. Mirrors `ScriptManager.addFromElement`'s use of
-// `syncRequest`: stylesheets are render-blocking in real browsers, so a
-// synchronous fetch from inside the parser callback matches expected
-// document-load ordering without manual `_pending_loads` bookkeeping.
-pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
-    if (self.isGoingAway()) return;
+// Synchronously fetch and parse an external `<link rel=stylesheet>`.
+// href is passed in as an optimization since the [currently] only callsite has
+// it, so why look it up again?
+pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link, href: []const u8) !void {
+    if (self.isGoingAway() or href.len == 0) {
+        return;
+    }
 
-    // Fragment-parsed links (innerHTML / outerHTML / DOMParser /
-    // Range.createContextualFragment / <template>.content) reach
-    // `Link.Build.created` like any other parser-instantiated element, but
-    // their owner subtree may never be attached to the live document. A
-    // network fetch + sheet registration against `self.document` would be
-    // a visible side effect of merely parsing markup. Mirrors the
-    // `nodeIsReady` short-circuit at the existing parser-path guard.
-    if (self._parse_mode == .fragment) return;
+    const session = self._session;
 
+    // this feature is disabled by default, and can be turned on via a command
+    // line flag or via an CDP command
+    if (session.load_external_stylesheets == false) {
+        return self.queueLoad(link._proto);
+    }
+
+    // Fragment-parsed links (innerHTML, DOMParser, ...) may not be attached.
+    // TODO: this isn't correct in all cases. If the link is added into an
+    // attached node, I think we SHOULD load it.
+    if (self._parse_mode == .fragment) {
+        return;
+    }
     const element = link.asElement();
-    const href = element.getAttributeSafe(comptime .wrap("href")) orelse return;
-    if (href.len == 0) return;
 
-    const arena = try self.getArena(.medium, "Frame.loadExternalStylesheet");
-    defer self._session.releaseArena(arena);
+    const arena = try session.getArena(.medium, "Frame.loadExternalStylesheet");
+    defer session.releaseArena(arena);
 
     const resolved = URL.resolve(arena, self.base(), href, .{ .encoding = self.charset }) catch |err| {
-        log.warn(.browser, "external stylesheet resolve", .{ .err = err, .href = href });
-        try self.fireLinkEvent(link, comptime .wrap("error"));
+        log.warn(.http, "external stylesheet resolve", .{ .err = err, .href = href });
+        try self.fireElementEvent(element, comptime .wrap("error"));
         return;
     };
 
-    const session = self._session;
-    // HttpClient takes ownership of `headers` via the request struct on
-    // successful `syncRequest` (see HttpClient.zig:411). Until ownership
-    // transfers, `errdefer` covers the OOM window in `headers.add` /
-    // `headersForRequest` so the initial `newHeaders()` slist doesn't
-    // leak. Once `syncRequest` is entered the request struct handles
-    // cleanup — do NOT add a plain `defer deinit` here.
-    var headers = try session.browser.http_client.newHeaders();
-    errdefer headers.deinit();
+    const http_client = &session.browser.http_client;
+    var headers = try http_client.newHeaders();
     try headers.add("Accept: text/css,*/*;q=0.1");
     try self.headersForRequest(&headers);
 
@@ -1743,7 +1737,7 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
     sm.is_evaluating = true;
     defer sm.is_evaluating = was_evaluating;
 
-    var response = session.browser.http_client.syncRequest(arena, .{
+    var response = http_client.syncRequest(arena, .{
         .url = resolved,
         .method = .GET,
         .frame_id = self._frame_id,
@@ -1754,26 +1748,23 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
         .resource_type = .stylesheet,
         .notification = session.notification,
     }) catch |err| {
-        log.warn(.browser, "external stylesheet fetch", .{ .err = err, .url = resolved });
-        try self.fireLinkEvent(link, comptime .wrap("error"));
-        return;
+        log.warn(.http, "external stylesheet fetch", .{ .err = err, .url = resolved });
+        return self.fireElementEvent(element, comptime .wrap("error"));
     };
     defer response.deinit(arena);
 
     if (response.status < 200 or response.status >= 300) {
-        log.info(.browser, "external stylesheet status", .{ .status = response.status, .url = resolved });
-        try self.fireLinkEvent(link, comptime .wrap("error"));
-        return;
+        log.info(.http, "external stylesheet status", .{ .status = response.status, .url = resolved });
+        return self.fireElementEvent(element, comptime .wrap("error"));
     }
 
     if (response.body.items.len > MAX_STYLESHEET_BYTES) {
-        log.warn(.browser, "external stylesheet too large", .{
+        log.warn(.http, "external stylesheet too large", .{
             .bytes = response.body.items.len,
             .max = MAX_STYLESHEET_BYTES,
             .url = resolved,
         });
-        try self.fireLinkEvent(link, comptime .wrap("error"));
-        return;
+        return self.fireElementEvent(element, comptime .wrap("error"));
     }
 
     // Reuse the cached sheet on re-fetch (href mutation on a connected
@@ -1801,18 +1792,17 @@ pub fn loadExternalStylesheet(self: *Frame, link: *Element.Html.Link) !void {
     // `_href` consistent with what the sheet actually contains is the
     // minimum.
     sheet.replaceSync(response.body.items, self) catch |err| {
-        log.warn(.browser, "external stylesheet parse", .{ .err = err, .url = resolved });
-        try self.fireLinkEvent(link, comptime .wrap("error"));
-        return;
+        log.warn(.http, "external stylesheet parse", .{ .err = err, .url = resolved });
+        return self.fireElementEvent(element, comptime .wrap("error"));
     };
     sheet._href = try self.arena.dupe(u8, resolved);
 
-    try self.fireLinkEvent(link, comptime .wrap("load"));
+    try self.fireElementEvent(element, comptime .wrap("load"));
 }
 
-fn fireLinkEvent(self: *Frame, link: *Element.Html.Link, name: String) !void {
+fn fireElementEvent(self: *Frame, el: *Element, name: String) !void {
     const event = try Event.initTrusted(name, .{}, self._page);
-    try self._event_manager.dispatch(link._proto.asEventTarget(), event);
+    try self._event_manager.dispatch(el.asEventTarget(), event);
 }
 
 fn dispatchLoad(self: *Frame) !void {
@@ -1827,8 +1817,7 @@ fn dispatchLoad(self: *Frame) !void {
 
     for (to_process.items) |html_element| {
         if (has_dom_load_listener or html_element.hasAttributeFunction(.onload, self)) {
-            const event = try Event.initTrusted(comptime .wrap("load"), .{}, self._page);
-            try self._event_manager.dispatch(html_element.asEventTarget(), event);
+            try self.fireElementEvent(html_element.asElement(), comptime .wrap("load"));
         }
     }
 
diff --git a/src/browser/webapi/element/html/Link.zig b/src/browser/webapi/element/html/Link.zig
index 2aa0e4c2..17b2f96c 100644
--- a/src/browser/webapi/element/html/Link.zig
+++ b/src/browser/webapi/element/html/Link.zig
@@ -124,8 +124,8 @@ pub fn linkAddedCallback(self: *Link, frame: *Frame) !void {
     // which fires the load/error event itself. Other rels (preload,
     // modulepreload) and the disabled case keep the rendering-free stub that
     // fires a synthetic `load` event without touching the network.
-    if (std.mem.eql(u8, rel, "stylesheet") and frame._session.load_external_stylesheets) {
-        return frame.loadExternalStylesheet(self);
+    if (std.mem.eql(u8, rel, "stylesheet")) {
+        return frame.loadExternalStylesheet(self, href);
     }
 
     try frame.queueLoad(self._proto);
@@ -174,5 +174,7 @@ test "WebApi: HTML.Link" {
 }
 
 test "WebApi: HTML.Link external stylesheet" {
+    const filter: testing.LogFilter = .init(&.{.http});
+    defer filter.deinit();
     try testing.htmlRunner("css/external_stylesheet.html", .{ .load_external_stylesheets = true });
 }
diff --git a/src/help.zon b/src/help.zon
index d8354d24..408fa20b 100644
--- a/src/help.zon
+++ b/src/help.zon
@@ -156,11 +156,7 @@
     \\                           Fetch external <link rel=stylesheet> resources so
     \\                           their rules contribute to computed styles (and
     \\                           therefore to visibility checks like display,
-    \\                           visibility, opacity, pointer-events). The default
-    \\                           skips these fetches, which makes utility-class-
-    \\                           heavy sites read as not-visible from the driver
-    \\                           side. Drivers can also toggle this per-session
-    \\                           via LP.configureLoading.
+    \\                           visibility, opacity, pointer-events).
     \\                           Defaults to false.
     \\
     \\--block-private-networks   Block HTTP requests to private/internal IP