Re: [whatwg/dom] Declarative Shadow DOM (#831) from Ryosuke Niwa on 2020-10-26 (public-webapps-github@w3.org from October 2020)

From: Ryosuke Niwa <notifications@github.com>
Date: Sun, 25 Oct 2020 17:17:42 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/716237942@github.com>

> > > You say you haven't given up hope on this feature, but if `<shadowroot>` is the only way forward, and `<shadowroot>` is a non-starter, then I see no way forward at all.
> > 
> > 
> > You're making a whole bunch of assumptions there. I don't necessarily think `<shadowroot>` is the only way forward even though that might be a promising approach and there are many ways to define what `<shadowroot>` would do, not all such definitions are problematic. We just need to find a solution that satisfies all the constraints we've identified thus far.
> 
> I still don't understand how this solves the XSS issue. For users that override the defaults of sanitizers (or just use "bad" sanitizers), new elements like `<shadowroot>` could still be ignored. And as I mentioned, for sanitizers that use the built-in parser for all HTML parsing, **any** declarative shadow DOM solution poses this risk. No matter what the tag name is, `<template shadowroot>`, `<shadowroot>`, or `<my-super-secret-declarative-tag>`. These sanitizers will send the raw HTML into the browser's parser, and if declarative shadow dom is a thing, the parser will return DOM containing shadow roots. Please help me understand how this fixes the XSS problem, at all.

That's not true. `<shadowroot>` would be parsed as a `HTMLUnknownElement`, and as such any link element or script element which is a descendant of that node will load CSS, scripts, etc... load/error event handlers will run. This is the current expectation and behavior of the content inside `<shadowroot>`. Sanitizers will have to delete all such script elements and event handlers. That is not the case with `<template>`. No script or link elements will load scripts or CSS nor load and/or error event handlers in those nodes will get executed by simply parsing that content as a part of an active document.

> > I emphasize with people getting frustrated here. This must be such an easy feature for browsers to add, you might think. In reality, there is a lot of nuances and issues we have to consider and take care of. So please don't be discouraged and think that this isn't going anywhere. If I thought this isn't going anywhere or a totally bad idea, I wouldn't be actively engaging in the discussion like this over weekends :)
> 
> @rniwa, I'm really glad to hear that you're nominally supportive of adding this feature. **That is very encouraging!** Let's get this feature across the finish line - there are clearly developers who would like to use Shadow DOM but cannot because there is no declarative solution.

No, I am not. Whilst we've been actively engaged in this discussion, that doesn't necessarily mean we're endorsing the addition of this Web API. We're still in the process of evaluating it because of the said developer interests in this topic.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716237942

Received on Monday, 26 October 2020 00:17:55 UTC