- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Tue, 27 Oct 2020 12:37:32 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/831/717488236@github.com>
> > @cure53, thanks for the suggestion, but unfortunately, this would break Shadow DOM. Closed shadow roots are [designed](https://developers.google.com/web/fundamentals/web-components/shadowdom#closed) to be completely invisible to Javascript. Shadow roots in general don't even show up as a text node, they're only accessible from `element.shadowRoot`. > > And this is where the flaw lies, at least from a security perspective. I'm missing something here. To my interpretation, the issue is not really in the closedness, or openness of the shadow DOM, but rather that, in the original design, the tree (created declaratively by a native HTML parser, e.g. `DOMParser`) could have a shadow DOM attached (and JS inside of it). Even if it were open (visibile), the sanitizer would have to be aware of Shadow DOM (the already shipped API) to look into it and sanitize. Closedness of the shadow DOM is not "the" flaw here, it's supporting shadow DOM from string-based parsers by default, to my understanding. If the native HTML string->tree parsers only supported declarative shadow DOM on request, the sanitizer bypass doesn't exist, right? I.e. DOMPurify would need to opt-in to shadow-dom aware parser in its own codebase to be vulnerable. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717488236
Received on Tuesday, 27 October 2020 19:37:44 UTC