Re: [w3ctag/design-reviews] Declarative Shadow DOM (#494) from Mason Freed on 2020-10-21 (public-webapps-github@w3.org from October 2020)

From: Mason Freed <notifications@github.com>
Date: Wed, 21 Oct 2020 10:30:42 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/494/713735913@github.com>

> Looking through the linked discussion, it's not clear to me that WebKit is pushing back on streaming, so much as having streaming be _optional to implement_; it looks like Mozilla is making similar arguments, as you summarised.

You're right that in the current discussion, the streaming-related pushback has been on **optional** streaming, which is why I punted on that option. But the prior decision in 2018, to **not** to move forward with declarative Shadow DOM, was mostly predicated on the difficulty and security issues inherent in a streaming solution. I wrote up a summary of that discussion in the explainer, [here](https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#-prior-discussion-at-tokyo-f2f). It was this specific prior discussion that motivated me to pursue the non-streaming solution when I revived declarative Shadow DOM in 2020, in the hopes of getting multi-implementer support.

> 
> Since we only really had feedback on the streaming feature, and that discussion seems to be ongoing among the relevant stakeholders, it seems like we can probably close up this review, unless you had any other questions for us to think about.

Only one other issue has recently come up: a potential sanitizer bypass using declarative Shadow DOM. I have written up a summary of the issue and [added it to the explainer](https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#potential-html-sanitizer-bypass). (I've also posted about this in the [issue discussion](https://github.com/whatwg/dom/issues/831#issuecomment-713726883), and reached out to [sanitizer libraries](https://twitter.com/cure53berlin/status/1318818166303281153).) I believe this, like other sanitizer bypasses, is best handled by the sanitizer libraries themselves, which already need to issue frequent updates to keep on top of security issues. But if you have any input on ways to mitigate this issue from an API perspective, I'd be very interested to hear your input. From my perspective, the issue seems fairly fundamental to any declarative Shadow DOM solution that allows closed shadow roots, mixed with any sanitizer library that allows the return of **live DOM** instead of string HTML. But thoughts appreciated!

If there's no input on the above issue, I do think we can close this TAG review. I really appreciate all of the feedback and help here!

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/494#issuecomment-713735913

Received on Wednesday, 21 October 2020 17:30:55 UTC