[webcomponents] [imports]: <link rel=import> shouldn't be active when added by innerHTML (bugzilla: 26898) (#193) from Hayato Ito on 2015-07-06 (public-webapps-github@w3.org from July 2015)

From: Hayato Ito <notifications@github.com>
Date: Mon, 06 Jul 2015 00:38:29 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/193@github.com>

Title: [imports]: <link rel=import> shouldn't be active when added by innerHTML (bugzilla: 26898)

Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898

----
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c0
*Morrita Hajime* wrote on 2014-09-24 20:07:27 +0000.

Reported at https://code.google.com/p/chromium/issues/detail?id=416036
As \<script\>, it should be disabled when injected by innerHTML.
cf. http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0

----

comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c1
*Jonas Sicking* wrote on 2014-09-24 20:51:51 +0000.

Why?

The \<script\> thing was mostly done in order to get compatibility with existing content. Specifically there was a lot of content out there that did things like:

\<div id=elem\>
  \<script\>...\</script\>
  lots of content here
\<div\>

document.getElementById('elem').innerHTML += "hello world";

This code did not expect the script elements to execute again because back in those days dynamically inserted \<script\> elements almost never executed.

I don't think any of those reasons apply here.

First of all "reimporting" the same URL is a no-op since we de-duplicate imports, right?

Second, there's no existing content that we need to be compatible with since imports are a new feature.


The reason I'd rather not make exceptions for innerHTML is that it creates arbitrary and hard-to-learn inconsistencies. Why innerHTML but not outerHTML or insertAdjecentHTML? What about the jQuery provided $("markup here") and parseHTML?

----

comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c2
*Morrita Hajime* wrote on 2014-09-24 22:24:07 +0000.

Good question. Your points are valid.

I heard that the \<script\> blacklisting is a safeguard for reducing XSS.
Is it misunderstanding the intention of the spec?

----

comment: 3
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c3
*Jonas Sicking* wrote on 2014-09-24 22:35:34 +0000.

The current limitation was mainly added in order to be compatible with the web. It was originally not added for any security reasons.

I don't think that blocking \<script\> in innerHTML is a meaningful XSS-prevention mechanism. But others might disagree.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/193

Received on Monday, 6 July 2015 07:39:09 UTC