- From: Dan Fabulich <notifications@github.com>
- Date: Tue, 27 Oct 2020 11:57:19 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/831/717466622@github.com>
> Just as FYI, arguing that this doesn't matter isn't a winning strategy in any argument, really. If you're going to keep pushing this discussion in that direction, I'm not certain that we'd ever reach a consensus here. Let me rephrase my earlier post, which previously confused the CSX issue and the SSX issue. As I see it, the options to address the SSX issue are as follows: 1. Keep going with `<template shadowroot>` and accept the SSX risks 2. Adopt an opt-in mechanism (which would _absolutely_ be a footgun in the context of the SSX issue) 3. Switch to a new element name like <shadowroot>, which legacy sanitizers will treat as an HTMLUnknownElement Do I understand correctly from this last message that you will under no circumstances agree with Option 1 as-is? When I asked you previously to say what you specifically recommend, you gave no specific recommendation, but said that "It's possible that the problem is over constrained and we need to pick the least problematic / evil solution among them." But to make that argument would require someone to argue that the SSX risks are the "least problematic" and the most natural way to do that is to argue that the SSX risks are extremely rare/unlikely, i.e. that the SSX risk "doesn't matter." On the other hand, if you think the SSX issue is dispositive, then that's game over for `<template shadowroot>`. Is that what you're saying here? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717466622
Received on Tuesday, 27 October 2020 18:57:32 UTC