First draft: explainer-new.

[otherdaniel]

Explainer for new Sanitizer API design, based on recent sync meeting (#192).

Notes:

• Not ready yet; would like to add examples.
• I added several open questions not discussed in the meeting.

[otherdaniel]

This tries to summarize the result from the recent sync meeting. I hope it's a starting point to replace the current explainer for this project, and to then base future work on it. Please let me know if this doesn't reflect the meeting results accurately.

I've added several open questions (i.e., what about defaults?) that were not explicitly discussed at the meeting.

I'd like to add examples, too, to make this more useful for people not involved in the meetings.

[annevk]

Thanks for writing this up @otherdaniel! Left my thoughts and nits inline.

[annevk]

1. It seems good to conclude Clarify threat model, "XSS first and foremost" #188 so "baseline" is clear.
2. I think that by default "unsafe" shouldn't do any filtering. And if you want you get to essentially supply your own block and safelists and the browser won't perform any normalization on them.

[mozfreddyb]

1. This is more than "what the baseline is", but also whether the default should be something "more usable" than the baseline (e.g., also issue baseline should be default and default should be baseline #183). I think it should suffice to enforce only the baseline. (Unless we actually do the full research on the defaults of other sanitizers and e.g., popular XSS gadget attributes to also strip from the "default".)

[annevk]

I think ultimately that decision is largely up to the WHATWG. And we decided there previously that new parsing APIs won't need any kind of opt-in for declarative shadow roots. So we shouldn't add any here. I don't think we need opt-out either (that's handled through custom elements not being safelisted).

[mozfreddyb]

As long as a declarative shadow root always requires a custom element as a parent and as long as we require custom elements to be named in the allowElements list, I am very OK with this not being a toggle at all.

[otherdaniel]

Reworded this. Agree on WHATWG getting the last word.

I'm not aware of any requirements that shadow roots - declarative or not - must be hosted by custom elements. I thought a boring old <div> could also host a shadow DOM. Am I overlooking something?

[otherdaniel]

Trying to find evidence for restrictions on shadow root hosts. What I find is:

• https://dom.spec.whatwg.org/#concept-element-shadow-root and
• https://dom.spec.whatwg.org/#dom-element-attachshadow

The second one lists quite a few restrictions, but it does allow a number of specific HTML elements, e.g. div.

[annevk]

Good point. I raised this in whatwg/dom#831 (comment).

Having said that, I'd appreciate it if @mozfreddyb could elaborate on this concern, as I'm not yet seeing the problem with shadow roots potentially being present in the output.

If there is a problem though I don't think we should address it at the parser level, but instead the sanitizer should block elements with an associated shadow root.

[mozfreddyb]

Well, glad we got some clarity here. I was totally not aware that this may live outside of custom elements. That being said, I think this is all fine as long as the sanitizer traverses the shadow root.

[mozfreddyb]

We discussed this on the call and agree that this is fine as long as the sanitizer is traversing

[annevk]

If actual normalization is performed on the input and that is exposed (rather than the input being reflected back) I could see folks supporting a class. The current Sanitizer class is not it though.

[mozfreddyb]

My main hope with this was that a framework would supply a Sanitizer instance for the web developer to use in framework-specific code (e.g., to prevent script gadgets attacks). That being said, a dictionary is likely as good.

[mozfreddyb]

We also discussed this on the call. We agree that there's little value in having an object that just contains a dictionary. Nobody is against an object, as long as there is a useful feature behind it (e.g, normalization, performance).

[annevk]

I'd be okay leaving it out until we see demand.

[otherdaniel]

Done. (Removed this from open questions, and added a sentence after the API proposal.)

[mozfreddyb]

This is great. Thanks so much, Daniel!
(And my deepest apology for the the review delay here!)

I think this is almost ready to merge once we have resolved the minor sidebars

[mozfreddyb]

As long as a declarative shadow root always requires a custom element as a parent and as long as we require custom elements to be named in the allowElements list, I am very OK with this not being a toggle at all.

[mozfreddyb]

1. This is more than "what the baseline is", but also whether the default should be something "more usable" than the baseline (e.g., also issue baseline should be default and default should be baseline #183). I think it should suffice to enforce only the baseline. (Unless we actually do the full research on the defaults of other sanitizers and e.g., popular XSS gadget attributes to also strip from the "default".)

[mozfreddyb]

My main hope with this was that a framework would supply a Sanitizer instance for the web developer to use in framework-specific code (e.g., to prevent script gadgets attacks). That being said, a dictionary is likely as good.

[annevk]

Thanks, this looks great!

[annevk]

I'm not sure we want to directly compare parsing to innerHTML as there will at least be two major differences:

1. Support for declarative shadow roots.
2. No support for XML.

[mozfreddyb]

While technically correct, I think it helps to draw a comparison. Even if it's not exactly 1:1, I am expecting many developers to switch from innerHTML= to setHTML()

[annevk]

This is summarizing the design for implementers, no? I don't mind it saying innerHTML, but it should be more accurate.

[mozfreddyb]

We agree on a softer wording. "almost like", "similar to innerHTML". etc. :). Obviously, there should be a section that explains the differences more closely.

[otherdaniel]

Done. Also added a note at the bottom to be more explicit.

[otherdaniel]

One question on, "No support for XML": I think we agree that Document.parseHTML should not create XML documents (unlike DOMParser). Is this also meant to apply to setHTML when called on an element in an existing XML document?

(I don't mind either way; but would like to be clear.)

[annevk]

I meant it for both.

[annevk]

Can we reference #188 here?

[otherdaniel]

Done.

[annevk]

I think we can consider this decided.

[otherdaniel]

Removed. (I added this as one example to the note about differences between the new APIs and their existing counterparts.)

[annevk]

This seems correct. An object here would require one of:

1. Compelling performance numbers.
2. A compelling operation that would only work with a pre-processed dictionary.

[otherdaniel]

Done. Adopted this wording.

[mozfreddyb]

While technically correct, I think it helps to draw a comparison. Even if it's not exactly 1:1, I am expecting many developers to switch from innerHTML= to setHTML()

[annevk]

\o/

Thanks!