-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setHTML() and declarative shadow roots #8627
Comments
I thought about this some more and also chatted with @mozfreddyb about it:
|
I believe there's value in having an opt-out: People want to invoke the fragment parser with new and exciting options (e.g., We've gone through great lengths to make sure that you can never construct a imho, allowing to invoke My only remaining concern is with the static analysis perspective. Until now, I would have set "use setHTML everywhere. Allow setHTML everywhere and you're guaranteed to be safe". Now that is "Allow setHTML but always check that it does not pass an object that has a I suppose that's unavoidable. Also adding @otherdaniel for visibility. |
So to start, I'm supportive of this proposal (allowing
I think
Wholeheartedly declarative shadow DOM should be opt-out. The only reason it needed to be opt-in for existing parser entrypoints is the possibility of badly-configured JS sanitizers. Given that the built-in Sanitizer should do the right thing, I see no reason why DSD should be treated any differently than any other HTML. Of course, unsafe content inside a declarative shadow root should be properly sanitized. But the shadow root itself isn't inherently dangerous.
I'm agnostic, as long (see above) as the default is to allow them. |
@mfreed7 my first comment has a summary of what I think we ought to be doing here. Not sure why you skipped that one. 😊 |
I thought my reply quotes your first comment - does it not? Sorry, what did I miss? |
Sorry, that's OP. I should have said first reply. |
Ahh ok. Sorry.
My response to this is in the paragraph starting "Wholeheartedly declarative shadow DOM should be opt-out.".
This was discussed by @koto on whatwg/dom#912 (comment), with the viewpoint that the method name should indicate "unsafe" rather than one of the option values in the options bag. The rationale is that it's easier to grep for the unsafe method name than it is to follow argument values around.
Agree.
Agree. |
@mfreed7 interesting, depending on folks obfuscating invocation it might not be easier to grep, but if you can assume good faith I suppose that would work. We'd end up with quite a lot of methods though. I take it you agree we need some kind of unsafe method or are all known declarative shadow tree use cases served with sanitizing? |
This was resolved by #9538. |
setHTML()
which is being drafted in https://wicg.github.io/sanitizer-api/ is planned to be folded into HTML. It would be good to sort out the declarative shadow root interaction ahead of time so we don't run into any surprises.By default
setHTML()
will sanitize and removescript
elements. Is that problematic?There's a number of further design questions here:
I personally kinda like the idea that they are parsed, but by default end up getting removed. But that would make this the only place where removal is possible, which is a bit suspect.
cc @mfreed7 @mozfreddyb @evilpie @otherdaniel @smaug---- @rniwa
The text was updated successfully, but these errors were encountered: