Re: E4H and constructing DOMs from Brendan Eich on 2013-03-10 (public-script-coord@w3.org from January to March 2013)

From: Brendan Eich <brendan@secure.meer.net>
Date: Sat, 09 Mar 2013 18:26:48 -0800
To: Allen Wirfs-Brock <allen@wirfs-brock.com>
CC: Ojan Vafai <ojan@chromium.org>, Adam Barth <w3c@adambarth.com>, Domenic Denicola <domenic@domenicdenicola.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <513BEF68.5070501@secure.meer.net>

Allen Wirfs-Brock wrote:
> On Mar 9, 2013, at 5:29 PM, Brendan Eich wrote:
>> No, the idea Ojan put forth is that the tag-less form should call a 
>> default handler other than String, in browsers. Specifically it would 
>> do a checked form of HTML parsing that threw if interpolations were 
>> not complete and well-formed subtrees. 
>
> Platform specific processing for tag-less string templates would be terrible for cross platform interoperability.

You mean portability.

>   It means, for example any code containing a tag-less string template would not be interoperable between, for example, browsers and node.js servers

s/interoperable/portable/. Node.js already has a different global object 
without a bunch of the client-side baggage.

Porting has its costs. So do XSSes. That's what you are hearing. I think 
Adam Barth is vehement about this because he studied too many while at 
Stanford, and even Google gets burned by them -- as Bjoern Hoehrmann 
pointed out up-thread:

A year or two ago I learned that Yair Amit reported a XSS vulnerability
on google.com to Google in 2005. That was quite interesting because I'd
not known that whenhttp://www.websitedev.de/temp/google-utf7-xss.txt  I
reported another XSS vulnerability on the same page a couple of weeks
later (initially no character encoding declared, then encoding set to
US-ASCII while echoing non-7-bit user input). I am still not sure what
to make of that, but given people screwing up like that, this contextual
auto-escaping idea seems to be aiming too high, outside tight organiza-
tional boundaries.

Bjoern makes a good point here. I don't know that the XSS cost outweighs 
the porting tax, they are apples to oranges. But XSS hazards remain in 
place and people get burned by them. Adding one under the tag-less 
(shortest, easiest to type) syntax is a choice we have to make in a sea 
of trade-offs.

> That sort of platform-dependent behavior is a real language design anti-pattern if you care about interoperability.

You mean portability. Browser JS would have a cross-browser normative 
spec governing the default template string handler, and so web JS would 
interop.

/be

Received on Sunday, 10 March 2013 02:27:20 UTC