- From: Dan Fabulich <notifications@github.com>
- Date: Sat, 24 Oct 2020 18:37:58 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/831/716079623@github.com>
Having made my argument against having an opt-in mechanism, I'm unclear on what @rniwa now thinks is the best way forward for this feature.
As I see it, the options are as follows:
1. Keep going with `<template shadowroot>` and accept the XSS risks
2. Adopt an opt-in mechanism (which I argue would be a footgun)
3. Switch to a new element name like `<shadowroot>`, which legacy sanitizers will treat as an HTMLUnknownElement
As for `<shadowroot>`, when Declarative Shadow DOM was under discussion in 2017, @rniwa was just one among many voices, including Chrome devs, saying that adopting a new element like `<shadowroot>` was a non-starter. The explainer for Declarative Shadow DOM has a whole section on this ("[Syntax: `<template shadowroot=open>` vs. `<shadowroot>`](https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#syntax-template-shadowrootopen-vs-shadowroot)") and it quotes @rniwa's [comment from 2018](https://github.com/whatwg/dom/issues/510#issuecomment-372224104) as evidence that implementers won't support adding `<shadowroot>`, due to the potential for security bugs.
You say you haven't given up hope on this feature, but if `<shadowroot>` is the only way forward, and `<shadowroot>` is a non-starter, then I see no way forward at all.
Do you see a way forward? If so, what exactly do you recommend?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716079623
Received on Sunday, 25 October 2020 01:38:10 UTC