Re: [whatwg/dom] [Declarative Shadow DOM] How should we build the "opt-in" for fragment parsing of declarative Shadow DOM? (#912) from Mason Freed on 2020-11-18 (public-webapps-github@w3.org from November 2020)

From: Mason Freed <notifications@github.com>
Date: Wed, 18 Nov 2020 14:49:17 -0800
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/912/730006585@github.com>

> It does not unfortunately. Trusted Types doesn't have cross-browser agreement.

@annevk, I wonder if there's a way to shape the `setInnerHTML()` opt-in argument such that **today**, opting in allows all contained declarative Shadow DOM content, and in the future (when the sanitizer-api is available), **not** opting in **still** allows contained declarative content, but with a first pass through the sanitizer?

@clelland after your nice BlinkOn talk today about Permissions Policy and Document Policy, I'm actually thinking this feature belongs squarely in Permissions Policy, not Document Policy. The policy restricts a "powerful" feature that can potentially enable scripts to bypass sanitizers. Would you agree?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/912#issuecomment-730006585

Received on Wednesday, 18 November 2020 22:49:30 UTC