- From: Mason Freed <notifications@github.com>
- Date: Wed, 02 Dec 2020 10:28:08 -0800
- To: whatwg/xhr <xhr@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 2 December 2020 18:28:21 UTC
> I missed that, is there a reason "deny" is not the default, given that it's "unsafe"? I'm open to suggestions on how I implemented this in the [HTML spec](https://github.com/whatwg/html/pull/5465/files) (and in code), but as it stands, the "include shadow roots" flag is tri-state. It can be unset, or explicitly "allow" or "deny". The reason is that for fragment parsing, unset means "don't allow" DSD content. But for non-fragment parsing, unset means "allow" DSD content. The explicit cases allow that default behavior to be overridden, e.g. here for XHR, where the XHR document is parsed with a non-fragment parser, but we still **don't** want to allow DSD content. Or the opposite case for `DOMParser` with the `includeShadowRoots` flag set to true, we want to explicitly **allow** DSD content even for the fragment parser. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/xhr/pull/300#issuecomment-737412411
Received on Wednesday, 2 December 2020 18:28:21 UTC