[whatwg/dom] [Declarative Shadow DOM] How should we build the "opt-in" for fragment parsing of declarative Shadow DOM? (#912) from Mason Freed on 2020-10-30 (public-webapps-github@w3.org from October 2020)

From: Mason Freed <notifications@github.com>
Date: Fri, 30 Oct 2020 12:37:04 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/912@github.com>

In #831, there is a [rough consensus](https://github.com/whatwg/dom/issues/831#issuecomment-718157132) that, to protect against client-side XSS, the entry points to the [fragment parser](https://www.w3.org/TR/DOM-Parsing/) need to be guarded by a declarative Shadow DOM "opt-in". If some script doesn't enable this opt-in, then any declarative Shadow DOM (`<template shadowroot>`) in the markup being parsed will be treated as a "normal" `<template>` that happens to have an attribute called "shadowroot".

How should this opt-in work? There are multiple entry points to the parser, some of which are "good" for sanitization, in that they parse into an isolated document fragment that doesn't execute script:

1. [`DOMParser.parseFromString()`](https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#dom-domparser-parsefromstring)
2. [`<template>.innerHTML`](https://www.w3.org/TR/DOM-Parsing/#h-attributes)
3. [`XMLHttpRequest`](https://xhr.spec.whatwg.org/#document-response) with an HTML MIME type and a data URL
4. [`<iframe>`](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element) using srcdoc, src, document open/write, etc.
5. [`createHTMLDocument`](https://dom.spec.whatwg.org/#dom-domimplementation-createhtmldocument) and then use [`createContextualFragment()`](https://w3c.github.io/DOM-Parsing/#dom-range-createcontextualfragment)
6. [`createHTMLDocument`](https://dom.spec.whatwg.org/#dom-domimplementation-createhtmldocument) and then use body.innerHTML

**Are there others?**

Of the list above, the most straightforward for most would seem to be just adding an opt-in attribute to the relevant object:
&nbsp;&nbsp;&nbsp; 1\. DOMParser: `let parser = new DOMParser(); parser.allowDeclarativeShadowDOM = true;`
&nbsp;&nbsp;&nbsp; 3\. XMLHttpRequest: `let client = new XMLHttpRequest(); client.allowDeclarativeShadowDOM = true;`
&nbsp;&nbsp;&nbsp; 4\. HTMLIframeElement: `let iframe = document.createElement('iframe'); iframe.allowDeclarativeShadowDOM = true;`

For createContextualFragment, perhaps just add an options bag? Seems cleaner than an attribute on Range():
&nbsp;&nbsp;&nbsp; 5\. createContextualFragment: `createContextualFragment(fragment, {allowDeclarativeShadowDOM: true});`

The most difficult, it would seem, is the `innerHTML` attribute. Perhaps an attribute on the owning document?
&nbsp;&nbsp;&nbsp; 2 and 6\. innerHTML: `element.ownerDocument.allowDeclarativeShadowDOM = true; element.innerHTML = html;`



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/912

Received on Friday, 30 October 2020 19:37:16 UTC