Re: Rendering Verifiable Credentials @ RWoT11 from Leonard Rosenthol on 2022-07-19 (public-credentials@w3.org from July 2022)

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Tue, 19 Jul 2022 11:59:06 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <DM8PR02MB81814DF07EFAE199898506BBCD8F9@DM8PR02MB8181.namprd02.prod.outlook.com>

SVG (the standard profile) supports JS and CSS, so all the same issues you have with HTML you have with SVG.  There are profiles of SVG that don’t allow JS or CSS, such as SVG Tiny or SVG Basic…

I will note, however, that the IETF tried using a reduced functionality profile for allowing SVG in RFC’s and ran into a lot of issues with lack of tool support…so they ended up having to write their own “SVG cleaner” application…

Leonard

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Monday, July 18, 2022 at 7:48 PM
To: public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: Rendering Verifiable Credentials @ RWoT11
EXTERNAL: Use caution when clicking on links or opening attachments.


On 7/18/22 12:27 AM, Bill Claxton, NextID Founder & Operations Director wrote:
> This is why we use HTML and CSS to create responsive layouts and why the
> NextCert Issuer supports uploading of layouts using zip packages.

Bill, feel free to add links to any relevant work here as  PR:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWebOfTrustInfo%2Frwot11-the-hague%2Fblob%2Fmaster%2Fadvance-readings%2Frendering-verifiable-credentials.md&amp;data=05%7C01%7Clrosenth%40adobe.com%7C71063fa04f7f49c182fe08da69180df5%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637937849283179812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=skFf2H2BaPSVCEIKAb5zBbPv3GMx3DC92%2BHtTPEZfAQ%3D&amp;reserved=0

We had considered HTML/CSS and had backed off a bit given the possibility of
all sorts of tracking/JS injection attacks. That said, it's a natural desire
to use what's already out there and deployed broadly... and there might be
hope in sandboxing components via Web Components:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdev.to%2Femileperron%2Fweb-components-in-2021-the-good-the-bad-and-the-ugly-3kg&amp;data=05%7C01%7Clrosenth%40adobe.com%7C71063fa04f7f49c182fe08da69180df5%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637937849283179812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=crjvzxXPzCwVaKZqVX9khecRajkV66v82hz23fZAk04%3D&amp;reserved=0

Has anyone out there tried to use a Web Component as a rendering layer for VCs?

-- manu

--
Manu Sporny - https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&amp;data=05%7C01%7Clrosenth%40adobe.com%7C71063fa04f7f49c182fe08da69180df5%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637937849283179812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=jPX7b9hWGh%2BxHoOokGwX6ktFiGSjK9LtydWZ%2FSCpOwE%3D&amp;reserved=0
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.digitalbazaar.com%2F&amp;data=05%7C01%7Clrosenth%40adobe.com%7C71063fa04f7f49c182fe08da69180df5%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637937849283179812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=R3U32uUR2nRZS9U4F8jebRLTfE0lBl4HBtbQCNaXMo4%3D&amp;reserved=0

Received on Tuesday, 19 July 2022 11:59:22 UTC