Re: [whatwg/dom] Declarative Shadow DOM (#831)

Thanks for the additional comments here. To try to focus the discussion, this seems to be where we are:

1. There is general consensus that the client-side XSS issue ("Problem <span>#</span>1") is an issue, and that opting-in to declarative Shadow DOM for the fragment parser is the right way forward. I've opened #912 to discuss this specific change, and try to come up with the right way to do that. Please feel free to direct this part of the discussion to that issue.

2. It seems rather unclear what the "policy" is for adding new elements and events to the web platform, as it relates to security, XSS risks, and sanitizers. I've opened #913 to discuss this issue more broadly. I think that the resulting policy decision there applies not only to declarative Shadow DOM, but a host of other features, so it's important to discuss and come to a resolution. Please feel free to direct this part of the discussion to that issue.

3. The question of streaming was brought back up. As I detailed in [this section](https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#prior-discussion-at-tokyo-f2f) of the explainer, this issue was one of the main reasons the original 2018 declarative Shadow DOM proposal did not move forward. Additionally, given the context that the above XSS issues are a significant issue for most people on this thread, and a "streaming" solution would likely open up many more such XSS issues, it would seem to be a no-go. I can open a new issue for this sub-point, if that's warranted. I'm not sure what the conviction level behind [this parenthetical comment](https://github.com/whatwg/dom/issues/831#issuecomment-717890389) actually was. Perhaps strong, I just don't know.

I believe those are the big remaining issues here. Please let me know if I missed some.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-719756978