https://github.com/apostrophecms/sanitize-html for example is allow-list by default but can be configurable to work as a block-list.
This is hypothetically a problem for any new HTML attribute, however with this particular one we break a very old CSS contract (stacking/overflow contexts are only esacapable by JS). On Mon, Mar 20, 2023 at 12:26 PM Philip Jägenstedt <foo...@chromium.org> wrote: > Hi Noam, > > Do you know if these sanitizers generally work as allowlists or > blocklists? In other words, will the new popover attribute be allowed > through current versions of those sanitizers? > > Best regards, > Philip > > On Mon, Mar 20, 2023 at 9:19 AM Noam Rosenthal <nrosent...@chromium.org> > wrote: > >> Voicing some concern about this API that I've raised before, and perhaps >> I'm reading this wrong and it was addressed. >> Think of CMS-style sites that embed user-generated HTML, like Wikis (I >> worked on popups for wikipedia). >> This HTML is usually sanitized to remove potentially malicious tags >> (<script>, <object>) and also script-invoking events (on* etc). >> One of the things those content system have to do is make sure that the >> embedded content is clearly separated from the platform UI. >> That is usually done with z-index & overflow. No matter how you play >> around with your embedded content, if it is embedded inside a >> stacking/overflow context, it can't go on top of the platform UI. >> >> By allowing showing/hiding top-layer elements without JS, we break this >> contract and existing HTML sanitation-based systems. Wiki and some other >> existing CMSs can resolve this by special-casing popover attributes in >> their sanitizers, but I wonder if it would break existing content systems >> that don't have that privilege, don't know about it, or are not actively >> developing their HTML sanitizer. >> >> Note that this concern is only about the capability to open a popup >> without JS. >> >> >> >> >> On Friday, March 17, 2023 at 9:00:09 PM UTC+2 Mason Freed wrote: >> >>> Contact emailsmas...@chromium.org >>> >>> Explainerhttps://open-ui.org/components/popup.research.explainer >>> >>> Specificationhttps://html.spec.whatwg.org/multipage/popover.html >>> >>> Summary >>> >>> An API that can be used to build transient user interface (UI) elements >>> that are displayed on top of all other web app UI. These include >>> user-interactive elements like action menus, form element suggestions, >>> content pickers, and teaching UI. This API uses a new `popover` content >>> attribute to enable any element to be displayed in the top layer. This is >>> similar to the <dialog> element, but has several important differences, >>> including light-dismiss behavior, popover interaction management, animation >>> and event support, and the lack of a "modal" mode. >>> >>> >>> Blink componentBlink>HTML>Popover >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHTML%3EPopover> >>> >>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/743 >>> >>> TAG review statusIssues addressed >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> >>> *Gecko*: Positive ( >>> https://github.com/mozilla/standards-positions/issues/698) >>> >>> *WebKit*: Positive ( >>> https://github.com/WebKit/standards-positions/issues/74) >>> >>> *Web developers*: Positive Generally positive feedback from OT >>> participants and OpenUI developer discussion. >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> >>> >>> Debuggability >>> >>> A feature has been added to devtools which shows all of the elements >>> that are currently in the top layer, plus annotations of those elements in >>> the Elements tree. Elements that use the popover API will be shown with >>> this feature. >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?No >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?No >>> >>> Flag name#enable-experimental-web-platform-features >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://crbug.com/1307772 >>> >>> Measurement >>> https://chromestatus.com/metrics/feature/timeline/popularity/4191 >>> https://chromestatus.com/metrics/feature/timeline/popularity/4464 >>> https://chromestatus.com/metrics/feature/timeline/popularity/4465 >>> >>> Estimated milestones >>> OriginTrial desktop last 114 >>> OriginTrial desktop first 106 >>> DevTrial on desktop 104 >>> OriginTrial Android last 114 >>> OriginTrial Android first 106 >>> DevTrial on Android 104 >>> OriginTrial webView last 114 >>> OriginTrial webView first 106 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5463833265045504 >>> >>> Links to previous Intent discussionsIntent to prototype: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/9y-Thg9UCxY/m/_4gShWjQAAAJ >>> Intent to Experiment: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDjJOC2%2B5aHfAoN8wOx8T0gtm%3D-o6eNK5XD6Ps5iRet6zA%40mail.gmail.com >>> Intent to Extend Experiment: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDgMYePRFVsPLWyzKUYgkygR4C7iT88--h0zXGBKeckXeQ%40mail.gmail.com >>> Intent to Extend Experiment: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/r3IwTXB8MG8/m/d4SjSV-GAgAJ >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/99983806-2238-45b3-a3c8-cc3c25f179a8n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/99983806-2238-45b3-a3c8-cc3c25f179a8n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJn%3DMYbdQEY08ow4uODAL1hEkxi9YSLGibbxfnwhbfXLKpOm2w%40mail.gmail.com.
