On Wed, Jun 1, 2022 at 11:09 AM Daniel Vogelheim <vogelh...@chromium.org> wrote:
> Contact emailsvogelh...@chromium.org, mk...@chromium.org, l...@chromium.org > > Explainerhttps://github.com/WICG/sanitizer-api > https://web.dev/sanitizer > > Specificationhttps://wicg.github.io/sanitizer-api > > Docshttps://web.dev/sanitizer > https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API > > Summary > > The Sanitizer API offers an easy to use and safe by default HTML Sanitizer > API, which developers can use to remove content that may execute script > from arbitrary, user-supplied HTML content. The goal is to make it easier > to build XSS-free web applications. The intended contributions of the > Sanitizer API are: Making a sanitizer more easily accessible to web > developers; be easy to use and safe by default; and shift part of the > maintenance burden to the platform. This is the initial "MVP". This > implements the current spec except for two features, the .sanitize and > .sanitizeFor methods on the Sanitizer object, in order to leave room for > more discussion. Our intent is to add the missing features once the > discussion has run its course. In all other aspects, this launch faithfully > implements the spec as currently written. We feel the current > implementation already adds substantial value to the web platform as-is. > So will this only support the `setHTML()` option initially? > > > Blink componentBlink>SecurityFeature>SanitizerAPI > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ESanitizerAPI> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/619 > > TAG review statusIssues addressed > > Risks > Interoperability and Compatibility > > This is a new API that does not modify existing behaviour. A comprehensive > WPT test suite ensures cross-browser compatibility. > > *Gecko*: In development ( > https://github.com/mozilla/standards-positions/issues/106) > Standards Position: > https://github.com/mozilla/standards-positions/issues/106 > A prototype is In development: > https://groups.google.com/g/mozilla.dev.platform/c/C4EHeQlaMbU/m/C8hNg9ehBwAJ > > *WebKit*: No signal ( > https://lists.webkit.org/pipermail/webkit-dev/2021-March/031731.html, > https://lists.webkit.org/pipermail/webkit-dev/2022-March/032155.html) A > position statement has been requested. The answer received to date > (2021-03-18) avoids giving a definite answer one way or another. Please > follow the links for details. > > *Web developers*: Positive. There have been several articles or blog > posts about the Sanitizer API, with a generally positive undertone. > Examples: > https://portswigger.net/daily-swig/google-mozilla-close-to-finalizing-sanitizer-api-for-chrome-and-firefox-browsers > > https://blog.bitsrc.io/javascript-sanitizer-api-the-modern-way-to-safe-dom-manipulation-828d5ea7dca6 > https://css-tricks.com/html-sanitizer-api/ > > > Security > > The goal of this feature is to make security more accessible. We generally > consider this feature low risk, since it's an additive feature that does > not extend or interact with existing platform security mechanisms. The > specification lists several security risks that are being considered during > development of the feature: > https://wicg.github.io/sanitizer-api/#security-considerations > > > WebView application risks > > n/a > > > > Debuggability > > Sanitizer API can be readily debugged with existing DevTools. It does not > have hidden state (or other "special" integration) that would warrant > customized DevTools support. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > Flag nameSanitizerAPIv0 > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/1101982 > > Launch bughttps://crbug.com/1306863 > > MeasurementSeveral counters for API calls are defined. (E.g. > https://source.chromium.org/search?q=MeasureAs%3DSanitizerAPI%20file:%5C.idl$ > <https://source.chromium.org/search?q=MeasureAs%3DSanitizerAPI+file%3A%5C.idl%24> > ) > > Estimated milestones > > 105 > > Anticipated spec changes > > The plan of record is to migrate the current WICG spec to HTML proper: * > https://github.com/WICG/sanitizer-api/issues/114 > > * https://github.com/whatwg/html/issues/7197 > > > Two apparently contentious API choices were removed from this launch, > which is what makes this an MVP. By making sure the MVP only contains > agreed upon APIs we allow for the future evolution of the API in any > direction. > > * https://github.com/WICG/sanitizer-api/issues/129 > > * https://github.com/WICG/sanitizer-api/issues/128 > > > The present spec requires a secure context. This might be dropped in a > future version. > * https://github.com/WICG/sanitizer-api/issues/122 > > The present spec does not support namespaced content (like SVG or MathML). > This is likely to be added in a future version. > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5786893650231296 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>; plus manual editing. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNZ1TE5wbApR4-scTLjwKT54vzB_FLjnqbLLth%2BJmLpUQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNZ1TE5wbApR4-scTLjwKT54vzB_FLjnqbLLth%2BJmLpUQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXenapDxR5_Sw6zaR6iZEV8%3DK98Uh3QY_%2B-2FndxkXJDA%40mail.gmail.com.