Voicing some concern about this API that I've raised before, and perhaps I'm reading this wrong and it was addressed. Think of CMS-style sites that embed user-generated HTML, like Wikis (I worked on popups for wikipedia). This HTML is usually sanitized to remove potentially malicious tags (<script>, <object>) and also script-invoking events (on* etc). One of the things those content system have to do is make sure that the embedded content is clearly separated from the platform UI. That is usually done with z-index & overflow. No matter how you play around with your embedded content, if it is embedded inside a stacking/overflow context, it can't go on top of the platform UI.
By allowing showing/hiding top-layer elements without JS, we break this contract and existing HTML sanitation-based systems. Wiki and some other existing CMSs can resolve this by special-casing popover attributes in their sanitizers, but I wonder if it would break existing content systems that don't have that privilege, don't know about it, or are not actively developing their HTML sanitizer. Note that this concern is only about the capability to open a popup without JS. On Friday, March 17, 2023 at 9:00:09 PM UTC+2 Mason Freed wrote: > Contact emailsmas...@chromium.org > > Explainerhttps://open-ui.org/components/popup.research.explainer > > Specificationhttps://html.spec.whatwg.org/multipage/popover.html > > Summary > > An API that can be used to build transient user interface (UI) elements > that are displayed on top of all other web app UI. These include > user-interactive elements like action menus, form element suggestions, > content pickers, and teaching UI. This API uses a new `popover` content > attribute to enable any element to be displayed in the top layer. This is > similar to the <dialog> element, but has several important differences, > including light-dismiss behavior, popover interaction management, animation > and event support, and the lack of a "modal" mode. > > > Blink componentBlink>HTML>Popover > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHTML%3EPopover> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/743 > > TAG review statusIssues addressed > > Risks > > > Interoperability and Compatibility > > > > *Gecko*: Positive ( > https://github.com/mozilla/standards-positions/issues/698) > > *WebKit*: Positive ( > https://github.com/WebKit/standards-positions/issues/74) > > *Web developers*: Positive Generally positive feedback from OT > participants and OpenUI developer discussion. > > *Other signals*: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > > > Debuggability > > A feature has been added to devtools which shows all of the elements that > are currently in the top layer, plus annotations of those elements in the > Elements tree. Elements that use the popover API will be shown with this > feature. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?No > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?No > > Flag name#enable-experimental-web-platform-features > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/1307772 > > Measurement > https://chromestatus.com/metrics/feature/timeline/popularity/4191 > https://chromestatus.com/metrics/feature/timeline/popularity/4464 > https://chromestatus.com/metrics/feature/timeline/popularity/4465 > > Estimated milestones > OriginTrial desktop last 114 > OriginTrial desktop first 106 > DevTrial on desktop 104 > OriginTrial Android last 114 > OriginTrial Android first 106 > DevTrial on Android 104 > OriginTrial webView last 114 > OriginTrial webView first 106 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5463833265045504 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/9y-Thg9UCxY/m/_4gShWjQAAAJ > Intent to Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDjJOC2%2B5aHfAoN8wOx8T0gtm%3D-o6eNK5XD6Ps5iRet6zA%40mail.gmail.com > Intent to Extend Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDgMYePRFVsPLWyzKUYgkygR4C7iT88--h0zXGBKeckXeQ%40mail.gmail.com > Intent to Extend Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/r3IwTXB8MG8/m/d4SjSV-GAgAJ > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/99983806-2238-45b3-a3c8-cc3c25f179a8n%40chromium.org.
