- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 07 Jan 2015 08:32:20 -0500
- To: public-webapps@w3.org
On 1/7/15 6:17 AM, Anne van Kesteren wrote:
> The main tricky thing here I think is whether it is acceptable to have
> an element whose name is "a", namespace is the HTML namespace, and
> interface is Element.
That depends on what you mean by "interface is Element".
If you mean that it has all the internal slots HTMLAnchorElement has but
its prototype is Element.prototype, I think that may be fine. Libraries
might get confused if you pass them elements like this, but that just
comes down to "don't create elements like this" as a guideline, right?
If you mean not having the internal slots HTMLAnchorElement has, then
that would involve a good bit of both specification and implementation
work. Specifically:
1) Pretty much the entire HTML spec is written in terms of tag names,
and the operations it performs often assume some sort of state being
stored on elements with those tag names. Conceptually this is being
stored in internal slots (though of course in actual implementations
"slots" can mean "hashtable entries in some hashtable" or whatnot).
Significant spec work would need to happen to deal with situations where
the element has some tagname but not the corresponding internal slots.
2) In specifications, there are assumptions about particular tag names
having particular internal slots. For example, you often get code like
this (not actual code in either one, but intended to get the flavor
across) at least in WebKit and Gecko:
void doWhatever(Element* element) {
if (element->isHTML() && element->tagName() == "input") {
HTMLInputElement* input = static_cast<HTMLInputElement*>(element);
// Do stuff with "input" here.
}
}
If we can have HTML elements which have the "input" tag name but aren't
represented by a subclass of the C++ HTMLInputElement in the above code,
you get a security bug. So codebases would have to be audited for all
instances of this and similar patterns. I just did a quick check in
Gecko, and we're looking at at least 500 callsites just in C++. There
are probably more in privileged JavaScript that make assumptions about
things based on tagname...
This is why the custom elements spec ended up with the is="..." business
for extending nontrivial HTML elements. :(
So just to check, which of these two invariant-violations are we talking
about here?
> If we can break that invariant it seems rather easy to build the
> hierarchy. The HTMLElement constructor would only take a local name
> and always have a null prefix and HTML namespace.
I think that's fine in a world where we still create an
HTMLAnchorElement under the hood if you do "new HTMLElement('a')" but
just give it HTMLElement.prototype as the proto.
> And HTMLAnchorElement would always be "a". HTMLQuoteElement could accept
> an enum and we could even add dedicated constructors for <q> and
> <blockquote> (provided the web allows).
Yeah, this would make sense to me.
-Boris
Received on Wednesday, 7 January 2015 13:32:50 UTC