Re: [whatwg/dom] Declarative Shadow DOM (#831) from Krzysztof Kotowicz on 2020-10-26 (public-webapps-github@w3.org from October 2020)

From: Krzysztof Kotowicz <notifications@github.com>
Date: Mon, 26 Oct 2020 10:38:41 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/716711904@github.com>

> I completely understand the concern about XSS issues. But blocking an entire feature (or otherwise making it much less usable, e.g. by adding HTTP header [footguns](https://github.com/whatwg/dom/issues/831#issuecomment-716078525), or disallowing `innerHTML` usage) based on this concern doesn't seem to make sense to me. Browsers add new XSS vulnerabilities all the time - they're called "bugs". 

What do you mean exactly by "browsers add new XSS vulnerabilities all the time"? Perhaps you refer to universal XSSes? These are not really related. It's a separate bug class, and indeed one that needs to be patched by the browser vendor. Universal XSSes are not really related to XSSes, as the first ones are browser implementation bugs, and it's not up to the website owners to patch them. 

Browsers, in principle, almost never introduce additional XSS vectors in existing applications. Last time I remember this happening was when adding HTML imports was [flagged](https://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0729.html), [dismissed](https://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0736.html), and then subsequently broke [most of the sanitizers](https://www.google.com/search?q=link+rel+import+xss) - including [Chrome's own XSS auditor](https://bugs.chromium.org/p/chromium/issues/detail?id=485198). This is exactly what we're trying to avoid here. We purposefully have a high bar for introducing new ways a script execution can be achieved in web applications, given the prevalence of XSS, and the effort that web authors have put into protecting their applications from it.

> And security is an ongoing process of continuous work. That's why most browsers themselves are released very frequently, to be able to keep up with security issues. This is just another emerging security issue, which does need to be taken into account by sanitizer libraries. Fortunately, this one (as opposed to the bugs) is known ahead of time. I just don't believe we need to block all new features based on the oldest and/or most-misconfigured sanitizers in use across the web.

... and you're right. Nothing is absolute. The risk just needs to be carefully considered, in line with one of the [HTML design principles](https://www.w3.org/TR/html-design-principles/#support-existing-content). We're trying to figure out how likely it is that the current design breaks existing pages, given that there's no notification mechanism for existing pages authors (there is telemetry though to check the patterns used in the wild, to some extent) that they should migrate. And we're exploring whether an alternate design might not have the same breakage potential, and what are its downsides. 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-716711904

Received on Monday, 26 October 2020 17:38:54 UTC