Re: [whatwg/dom] Declarative Shadow DOM (#831) from Ryosuke Niwa on 2020-10-22 (public-webapps-github@w3.org from October 2020)

From: Ryosuke Niwa <notifications@github.com>
Date: Thu, 22 Oct 2020 11:19:22 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/714673019@github.com>

> Thanks for all of the supportive comments here.
> 
> > Not off the top of my head. I don't think it's easy to add one without some kind of new HTML mode and/or not allowing to appear anywhere template can appear. This is a tricky issue I'd say. One way to mitigate this issue is to punt the parser behavior and just go with `shadow` element.
> 
> Using the `<shadow>` element wouldn't mitigate this **at all**. The concern is fundamental - any declarative shadow dom mechanism of any kind will suffer from this issue, by design. Why do you think `<shadow>` mitigates things?

It would because any sanitizer won't consider scripts etc... inside a template element to be inert. This is because `<shadow>` will be parsed as a `HTMLUnknownElement` right now.

> This is easily fixed using `importNode()`. DOMPurify (one of the largest client side sanitizers) is already patched, and its maintainer [agrees](https://github.com/whatwg/dom/issues/831#issuecomment-714282410) that this is just another bypass that needs to be patched.

If we've already found a sanitizing library which has this XSS issue, I'm sure there are dozens if not hundreds of other code that has the same issue, and we would be introducing new XSS vulnerabilities in sites where such code is deployed.

> > > I don’t think we should be handcuffed for all future Web features by the oldest sanitizer library currently in use.
> > 
> > 
> > We're already there given we're using template element partially due to the XSS concern associated with the parser behavior change.
> 
> I agree, and there are many resulting complaints that streaming isn't supported as a result. Let's not go further and eliminate the feature entirely.

Those things don't logically follow. Either we care about XSS concerns and therefore we should restrict this feature based on that, or we should just accept the fact there will be XSS concerns in which case the argument for shadow element increases compared to using template element although htehre is still a complication from making the HTML parser change if we want to make it behave like the template element but perhaps that's not necessary.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-714673019

Received on Thursday, 22 October 2020 18:19:34 UTC