Re: [whatwg/dom] Declarative Shadow DOM (#831) from Dan Fabulich on 2020-10-28 (public-webapps-github@w3.org from October 2020)

From: Dan Fabulich <notifications@github.com>
Date: Wed, 28 Oct 2020 14:04:06 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/718207542@github.com>

I have another mitigation idea… it's… pretty weird.

What if, instead of a `<template>` tag to manage shadowroots, what if we used a `<script>` tag with a novel `type` parameter?

```html
<host-element>
    <script type="shadowroot" mode="open">
        <style>shadow styles</style>
        <h2>Shadow Content</h2>
        <slot></slot>
    </script>
    <h2>Light content</h2>
</host-element>
```

Hear me out on this! It's a `<script>` tag, but it's not a _JavaScript_ tag. This `<script>` tag would behave exactly like the `<template shadowroot>` element, including its performance characteristics. No-JS environments could run `<script type="shadowroot">` without fear, or, if they're headless search engines, they could ignore the shadow roots safely, as well. In this case, when browsers disable JavaScript, they would _not_ disable declarative shadow DOM.

You can polyfill it, too, just like `<template shadowroot>`, because `<script>` tags with novel `type` attributes are inert, much like `<template>`s.

```js
document.querySelectorAll('script[type=shadowroot]').forEach(script => {
    const mode = script.getAttribute('mode');
    const shadowRoot = script.parentNode.attachShadow({ mode });
    shadowRoot.innerHTML = script.innerHTML;
    script.remove();
});
```

One subtlety is that `<script>` tags can't contain sub-script tags, because the parser will end the script when it sees `</script>`.

```html
<host-element>
    <script type="shadowroot" mode="open">
        <script>alert("sorry, this doesn't work");</script> <!-- NOT ALLOWED -->
        <style>shadow styles</style>
        <h2>Shadow Content</h2>
        <slot></slot>
    </script>
    <h2>Light content</h2>
</host-element>
```

But I argue that this is good, actually, if declarative shadow DOMs simply can't contain scripts. If you actually want to run some script, you can run some script at the top level to rehydrate your shadowroots with real scripts.

And, check this out: suppose there's a foolish sanitizer somewhere that doesn't sanitize `<script>` tags with non-standard `type` attributes. ("Non-standard scripts are inert!") _Fine._ There will still be no XSS, because declarative shadow DOM _can't run scripts._

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-718207542

Received on Wednesday, 28 October 2020 21:04:19 UTC