Re: [whatwg/dom] Declarative Shadow DOM (#831) from inoas on 2020-10-24 (public-webapps-github@w3.org from October 2020)

From: inoas <notifications@github.com>
Date: Sat, 24 Oct 2020 14:22:13 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/716056850@github.com>

@rniwa first of all, thanks for tanking concerns of every-day web-authors sireously, I was losing faith.

> I don't follow what you mean by this.

I meant pages and web apps having their code changed by either programmers or end users.

XSS is not just added magically as far as I understand - it is added either though bad programming or modifyiable user generated content on web apps. And for latter you want to have opt-in security models stripping away everything a santizier does not know about even if it is an unknown attribute. For the first you want to focus on security over other concerns when developing web apps.

So when adding this to the html standard, we are not introducing XSS. Either bad programmers are or bad concepts about user generated content. Wrong?

***

It seems I know understand this part of your/the conversation between @mfreed7 and @rniwa 

>>> One way to mitigate this issue is to punt the parser behavior and just go with shadow element.

>> Using the <shadow> element wouldn't mitigate this at all. The concern is fundamental - any declarative shadow dom mechanism of any kind will suffer from this issue, by design. Why do you think <shadow> mitigates things?

> It would because any sanitizer won't consider scripts etc... inside a template element to be inert. This is because <shadow> will be parsed as a HTMLUnknownElement right now.

Anyway, so what I understood from the sidebench, adding declarative shadow dom through the template-tag is of an issue here *because* sanitizers are not strictly following an opt-in paradigm (as in: includes attributes), correct? So isn't the first issue here a fire-and-forget mind-set/security-model regarding sanitizers that shouldn't be trusted in the first place?

**If the answer is no**, and the issue boils down to fundamentally changing the behavior of a 9-year-old tag, why go with the tag in the first place. Instead where `<shadow/>` may be what technical people (here) would make sense of a simple `<component>` tag could be used instead of `<template>`. This would IMHO also perfectly match with what every-day authors would expect a component to be called like, wouldn't it? (Regarding: https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#-keep-the-template-shadowroot-node-around I would also prefer to keep the node around as it would make it easy to toggle a components visibility or move it to other places in the DOM while being agnostic towards its content).

Regarding https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#proposed-solution `shadowroot="open"` could then simply be renamde `componentroot="open"`

**But if the answer is yes**, maybe the solution is not fixing this proposal but fixing sanitizers and mind-sets.

So what's the answer? Is it the sanitizers basic design flaw, or not?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716056850

Received on Saturday, 24 October 2020 21:22:26 UTC