Re: [whatwg/dom] What is the "security policy" for adding new events and elements to the Web Platform? (#913) from Mason Freed on 2020-11-24 (public-webapps-github@w3.org from November 2020)

From: Mason Freed <notifications@github.com>
Date: Tue, 24 Nov 2020 11:11:50 -0800
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/913/733177964@github.com>

> Can the feature be used to bypass a safelist-based sanitizer (https://github.com/WICG/sanitizer-api might help making that concrete) is probably the bar, but it will also always depend. (Maybe this should move to whatwg/html?)

I think I agree with that bar - safelist-based sanitizers should continue to be safe. And I believe they are here, as the "shadowroot" attribute will not be on existing safelists. The main "worry" on this thread seems to be denylist-based sanitizers, which don't seem to be future proof or secure on their own.

I agree that this should probably be on whatwg/html - I don't think I have permission to move it. Do you?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/913#issuecomment-733177964

Received on Tuesday, 24 November 2020 19:12:02 UTC