Re: [whatwg/dom] [Declarative Shadow DOM] How should we build the "opt-in" for fragment parsing of declarative Shadow DOM? (#912) from Mason Freed on 2020-11-16 (public-webapps-github@w3.org from November 2020)

From: Mason Freed <notifications@github.com>
Date: Mon, 16 Nov 2020 13:37:32 -0800
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/912/728343867@github.com>

> > This sounds good overall, except that I'd wait with introducing `setInnerHTML` until we have a standardized sanitizer (see https://github.com/WICG/sanitizer-api) as not using the sanitizer should be an opt-out (labeled "unsafe"). Introducing another API that will incur XSS does not really seem acceptable to me.
> 
> Isn't this more of an argument for Trusted-Types-like guards on this sink? Sanitizer API leans into the direction of unconditionally removing JS code, and this sink needs to, at least optionally, support JS in HTML. So we'd either end up with two different sinks (`unsafeSetInnerHTML(string)`, and `setInnerHTML(stringToSanitize)`), or an additional argument for both variants. It seems more elegant to just cover it with Trusted Types guards instead, or only require `TrustedHTML` with no option for a string.

I tend to agree with @koto on this - there's not much point to a sanitized `setInnerHTML()` that removes all JS from the content. I've marked the new `setInnerHTML` API as an [HTMLString](https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations), so it should play nicely with the Trusted Types system. Does that alleviate your concerns over a new API?

My original approach here was to add an opt-in to the Document, to avoid adding another `setInnerHTML()` API, but that was changed for what seemed like [good reasons](https://github.com/whatwg/dom/issues/912#issuecomment-722699514).

All of the changes in [this comment](https://github.com/whatwg/dom/issues/912#issuecomment-725654573) and [this one](https://github.com/whatwg/dom/issues/912#issuecomment-725825635) have now landed in Chromium 88+ (behind the Experimental Web Platform Features flag). I added a [section to the explainer](https://github.com/mfreed7/declarative-shadow-dom#mitigation) that touches on these changes. I'm going to get started modified the spec PRs ([HTML](https://github.com/whatwg/html/pull/5465)/[DOM](https://github.com/whatwg/dom/pull/892)) to incorporate these opt-in's.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/912#issuecomment-728343867

Received on Monday, 16 November 2020 21:37:45 UTC