Re: [whatwg/dom] Declarative Shadow DOM (#831) from Dan Fabulich on 2020-10-27 (public-webapps-github@w3.org from October 2020)

From: Dan Fabulich <notifications@github.com>
Date: Tue, 27 Oct 2020 13:51:47 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/717531423@github.com>

> If server side XSS is the issue I still don't understand where the issue lies with a custom header/html meta element to make the user agent opt-into a 'potentially' dangerous feature (only dangerous because the server side XSS sanitizers are not strict in the real world and treat unknown elements as text instead of a threat, which is what they should do).

An opt-in HTTP header would severely hurt the usability of declarative shadow DOM. Consider this Twitter poll:
https://twitter.com/jaffathecake/status/1318904059366080513

54% of users said they would have no problem adding a header; 17% said they didn't know whether they could do this. The other 29% said it would be difficult or impossible to add a header.

That could be worth it if we think the header is the right/best approach, but you'll recall my earlier argument that the using an opt-in HTTP header for the SSX issue would be a footgun, because developers would opt-in without actually knowing whether they're safe.

Of course, I've also argued that the bullets for this footgun are rare; there's no evidence that any server-side sanitizer leaves `<template>` tags unstripped, and good reason to think there shouldn't be any (because it would require extra work to let the `<template>` stand, and doing that would would leave the sanitizer buggy in legacy browsers).

If we accept both arguments at once, I suppose we could have an HTTP header opt-in mechanism precisely _because_ almost all server-side sanitizers DTRT anyway. Which is to say, if you think that the SSX issue doesn't matter, the fact that developers would misuse the opt-in mechanism doesn't matter, either.

I can't imagine this conclusion making anybody happy. If the SSX issue matters, then it should also matter that developers will opt-in without knowing that they're safe. If it doesn't matter that developers will opt-in without knowing that they're safe, then we shouldn't have the header at all.

But an opt-in mechanism certainly would provide secure defaults. Maybe it's the best compromise available…? But, if so, that's really disappointing.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-717531423

Received on Tuesday, 27 October 2020 20:52:00 UTC