Re: [whatwg/dom] Declarative Shadow DOM (#831) from Martynas Jusevičius on 2020-10-26 (public-webapps-github@w3.org from October 2020)

From: Martynas Jusevičius <notifications@github.com>
Date: Mon, 26 Oct 2020 02:19:36 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/716420129@github.com>

I love how you guys are stuck with a problem that is entirely unnecessary
and of your own making in the first place.

On Mon, Oct 26, 2020 at 3:07 AM Ryosuke Niwa <notifications@github.com>
wrote:

>
>    1. Use a browser *that supports declarative Shadow DOM*.
>    2. Use a client-side sanitizer that uses the *browser's HTML parser*
>    to convert dirty HTML into an isolated DocumentFragment, e.g. by using
>    DOMParser.
>    3. The sanitizer walks the resulting tree, pruning any malicious nodes.
>    4. The sanitizer returns *the DOM tree itself* to the user.
>
> The sanitizer bypass HTML in this case would consist of a closed
> declarative shadow root containing the XSS payload. At step #2
> <https://github.com/whatwg/dom/pull/2>, the browser will parse the HTML
> into a DOM tree containing a closed shadow root, which contains the XSS
> payload. Step #3 <https://github.com/whatwg/dom/pull/3> cannot see this
> part of the tree, because of the definition of "closed shadow root". Step
> #4 <https://github.com/whatwg/dom/pull/4> therefore returns a DOM tree
> with the XSS payload.
>
> Oh, I see. That would be indeed problematic. We probably need to make
> DOMParser and other DOM API to parse HTML not handle declarative Shadow DOM
> by default.
>
> However, the sanitizer scenario that I had concerned been concerned was
> mainly ones that parse HTML in the server side and strips away any
> scripting content. Such a sanitizer would see the markup for <template
> shadowroot> as well as its content yet it won't know that this template
> element's content won't be inert. For that case, using <shadowroot>
> instead is an effective mitigation strategy because such a server-side
> parser would treat it as like any other element of known name.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/whatwg/dom/issues/831#issuecomment-716262761>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAGPM5UZ4Y2NSHGQISPAGKTSMTKWZANCNFSM4KRWQB5A>
> .
>


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716420129

Received on Monday, 26 October 2020 09:19:49 UTC