Re: [whatwg/dom] Declarative Shadow DOM (#831)

> Even if it were open (visible), the sanitizer would have to be aware of Shadow DOM (the already shipped API) to look into it and sanitize, as shadow DOM needs to be traversed separately (hence shadow). Closedness of the shadow DOM is not "the" flaw here, it's supporting shadow DOM from string-based parsers by default, to my understanding.

Yop, I really do agree here. But for us this was already the case. We could already deal with an _open_ Shadow DOM. have been able to for years. The novelty for us was the _closed_ one and it being inaccessible to the code DOMPurify used for everything else. Had it not been for this novelty and some flexibility we allow with our return types, we would have been fine too.

So, all in all I am not worried about DOMPurify at all, we got notified by @mfreed7 which was awesome, we managed to produce a one-liner fix in no time, this is how things should be :D No users were put at risk, this was fantastic collaboration and I am grateful for it!

I am only worried about how this (or any other new) feature _should_ be, ideally so, so the notification process isn't necessary in the first place. We would likely not have noticed on time without the ping from Chrome Team :)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-717583105

Received on Tuesday, 27 October 2020 22:42:24 UTC