Re: [whatwg/dom] Declarative Shadow DOM (#831) from Ryosuke Niwa on 2020-10-27 (public-webapps-github@w3.org from October 2020)

From: Ryosuke Niwa <notifications@github.com>
Date: Tue, 27 Oct 2020 02:55:28 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/717123528@github.com>

> > That's not true. A given website may only support & serve content to "modern" web browsers that support template elements. Any sanitizer on such a website need not to worry about browsers that don't support template elements.
> 
> This is false. User agent spoofing is reality.

You mean that IE11 will pretend as if it's Edge15 or Chrome 35 and support template element? I don't think so.

> Also client-side-only XSS-sanitization is an insecure-by-design anti-pattern.

Here, I'm talking about server-side sanitization in response to @cure53's [comment above](https://github.com/whatwg/dom/issues/831#issuecomment-717058025).

> > Therefore, for security purposes, it is not acceptable to skip sanitizing dangerous code like `<script>` and onmousemove attributes inside `<template>`. At the very least, that will pwn your IE11, Opera Mini, and Safari 7 users.
> 
> FWIW in [uce-template](https://github.com/WebReflection/uce-template#readme), which already does pretty much everything discussed in here regarding SSR, I've solved IE11 (and other legacy) `<script>` issue by simply using/requiring `type="module"`, which is also not supported by legacy browsers, including IE11, and if there is a `template {display:none}` on top no `mousemove` or other events can happen.

FWIW, load/error and other non-standard events could still fire for script, style, and link elements so it's pretty important to strip away on* content attributes.

> P.S. any polyfill can add that rule on top whenever it's feature detected that `document.createElement('template')` is an `UnknownHTMLElement` so the `type="module"` looks the only enforcement to make it work without worrying about `<script>` around.

You can construct your own iframe and check the presence of template there assuming whatever method you use to create the iframe isn't spoofed itself as well although that's a bit overboard.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-717123528

Received on Tuesday, 27 October 2020 09:55:41 UTC