-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for mechanism to determine if children changed steps are called as a result of script or parser #1288
Comments
cc @otherdaniel as he did the Chromium implementation |
I am interested in two things here.
Footnotes
|
By "invalidation" I meant having the Such a setup seems vastly preferable over maintaining a complete separate copy of the contents of the |
I'll take some more time to properly read through and respond but regarding how correct the "is changed by API" bit is. Chromium used to (and right now WebKit still does) have at least 1 situation where a parser change is marked as API and so the script is untrusted. The XML parser would append nodes as if they were an API change. This is because a legacy deprecated SVG element (tref) is built on mutation events, and so it went down the path that fired mutation events. Chromium simply removed that element and fixed the parser, WebKit is slightly more complicated because it might be used in non-web places, BUT that's looking like the end result too. This is the only (relevant) place that's wrong from my testing but it's possible there could be other mismatches.
The main thing is we need all API changes to show as such, if some parser steps pretends it's an API that's not the end of the world, especially because in it's current form it's just used during script element parse time.
Yes, my understanding is that the parser itself will fire children changed steps during the course of parsing. |
That is good to know. Web platform tests confirming this across the two implementations would be lovely to see though.
Right but I guess the question is: do these "children changed" steps in any specs actually modify the children of the node they are being called on? I don't think |
Following up on this I've opened a draft PR on Trusted Types which tries to advaced the script protection. I've moved to a new model after discussions with Anne and others which be simpler to understand. The idea is that a script element has two flags, one to say it's trusted which is initially true (so parsed scripts are trusted), and one to say it's been modified by a trusted sink. The model relies on the children changed steps and a new flag "parser change" for those steps which can be used to differentiate between API or Parser. See w3c/trusted-types#533 for the specifics. So the big missing piece of the puzzle is how to get that new "parser change" flag specced. It seems that the children changed steps aren't neccessarily called directly from the parser so it might require piping the flag through multiple layers of indirection? I also discussed with @smaug---- about how feasible this information is to get in Gecko and while the implementation is different from Webkit and Chromium, it's sounds like it should be easy enough to get the neccessary information. |
What problem are you trying to solve?
In TrustedTypes we have a need to distinguish between a script's children being changed by an API (e.g. script.appendChild) or changed by the parser.
This is specifically needed as we treat all parsed scripts as trusted by default. However, it's possible for a script to be manipulated before it's finished parsing, and in those cases it shouldn't be trusted.
What solutions exist today?
Both Chromium and WebKit implement a childrenChanged function on their ContainerNode type which I believe translates to the children changed steps concept defined in the DOM algorithm. However, unlike the spec Chromium and WebKit both provide an argument to the function with details, such as the type (what changed and how it changed), and importantly the source of the change (parser vs API).
We can (and do) use this to invalidate scripts in the above described situation.
How would you solve it?
It would be good if the DOM spec matched the reality of at least 2 implementations (unsure about Gecko), and provided details about the change, at the very least for this use case the source of the change.
Anything else?
See w3c/trusted-types#499 (comment) for a long discussion that lead to this issue being raised.
I'm open to any alternative spec mechanisms we can use to spec this behaviour, so if there's a way today or a simpler change we can use let me know.
The text was updated successfully, but these errors were encountered: