- From: Henri Sivonen <notifications@github.com>
- Date: Wed, 28 Oct 2020 05:08:34 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 28 October 2020 12:08:47 UTC
Some thoughts (not original but to add another implementor view): * I've generally resisted changes to the HTML parsing algorithm, because even if the desktop and mobile (but not necessarily TV) browsers are on a reasonable update cycle, we can't make server-side software deployments update quickly even if they upstream projects update quickly. Likewise, even if JavaScript libraries release new upstream versions quickly, we mustn't make design decisions that rely on those updates getting deployed quickly. * It's not OK for a browser-side change to introduce XSS to sites that didn't have XSS prior to that browser-side change. * Introducing XSS merely to the long tail of sites is still not OK. * If there's an opt-in, it needs to manifest somehow at the `DOMParser.parseFromString` call site. An action-at-a-distance HTTP header is a bad idea. * (Not relevant to the most recent comments but: It's not OK to break incremental parsing of HTML coming from a network stream.) * I'm still not convinced that the benefits of this feature justify the complexity cost. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717890389
Received on Wednesday, 28 October 2020 12:08:47 UTC