Re: [whatwg/dom] Declarative Shadow DOM (#831) from Mason Freed on 2020-10-26 (public-webapps-github@w3.org from October 2020)

From: Mason Freed <notifications@github.com>
Date: Sun, 25 Oct 2020 18:56:07 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/716260127@github.com>

> That's not true. `<shadowroot>` would be parsed as a `HTMLUnknownElement`, and as such any link element or script element which is a descendant of that node will load CSS, scripts, etc... load/error event handlers will run. This is the current expectation and behavior of the content inside `<shadowroot>`. Sanitizers will have to delete all such script elements and event handlers. That is not the case with `<template>`. No script or link elements will load scripts or CSS nor load and/or error event handlers in those nodes will get executed by simply parsing that content as a part of an active document.

I guess I'm not understanding something - please help me. The sanitizer problem I'm talking about goes like this:

1. Use a browser **that supports declarative Shadow DOM**.
2. Use a client-side sanitizer that uses the **browser's HTML parser** to convert dirty HTML into an isolated `DocumentFragment`, e.g. by using `DOMParser`.
3. The sanitizer walks the resulting tree, pruning any malicious nodes.
4. The sanitizer returns **the DOM tree itself** to the user.

The sanitizer bypass HTML in this case would consist of a closed declarative shadow root containing the XSS payload. At step <span>#</span>2, the browser will parse the HTML into a DOM tree containing a closed shadow root, which contains the XSS payload. Step <span>#</span>3 cannot see this part of the tree, because of the definition of "closed shadow root". Step <span>#</span>4 therefore returns a DOM tree with the XSS payload.

Note that in the above description, I don't need to tell you what the exact semantics of the declarative Shadow DOM is - it could be `<template shadowroot>` just as easily as `<shadowroot>`. I don't know why you say `<shadowroot>` will parse into an `HTMLUnknownElement` - that would indicate that the browser we're using **doesn't** support declarative Shadow DOM. But see step <span>#</span>1 above.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716260127

Received on Monday, 26 October 2020 01:56:20 UTC