AIUI this effectively allows a website to declaratively do something
that would currently require JavaScript.
Would these attributes be subject to CSP, sandboxing or specific HTML
sanitizer behaviour at all (and if so, in what way)? Because if not, I
imagine that these would potentially allow escalation of a website
security vulnerability from a markup injection to something approaching
XSS - that is, doing things on the vulnerable website that would require
XSS without implementation of this proposal. Or is that an accepted risk
and/or are the invoke targets/actions sufficiently underpowered that
this was not deemed a concern?
~ Gijs
PS: Apologies if this got brought up in the spec or previous discussion,
but I was unable to find relevant keywords in any of the spec / pull /
explainer links. The explainer does acknowledge that inline JS is
frowned upon and often disabled via CSP, and that this is a more
declarative mechanism to do the same thing, but I couldn't find anything
more than that.
On 03/11/2023 00:30, Keith Cirkel wrote:
/Summary/:
Adding invoketarget and invokeaction attributes to <button> and
<input type="button"> / <input type="reset"> elements would allow
authors to assign behaviour to buttons in a more accessible and
declarative way, while reducing bugs and simplifying the amount of
JavaScript pages are required to ship for interactivity. Buttons with
invoketarget will - when clicked, touched, or enacted via keypress -
dispatch an InvokeEvent on the element referenced by invoketarget,
with some default behaviours.
/Bug/:
https://bugzilla.mozilla.org/show_bug.cgi?id=1856430
/Specification/:
https://github.com/whatwg/html/pull/9841
/Standards Body/:
WHATWG
/Platform coverage/:
all.
/Preference/:
dom.element.invokers.enabled
/DevTools bug/:
n/a.
/Link to standards-positions discussion/:
https://github.com/mozilla/standards-positions/issues/902
/Other browsers/:
Blink: Prototyping
(https://groups.google.com/a/chromium.org/g/blink-dev/c/tDanwUCp2cg/m/IPc9hvHcFAAJ).
WebKit: No Signal.
/web-platform-tests/:
https://wpt.fyi/results/html/semantics/invokers?label=experimental&label=master&aligned
<https://wpt.fyi/results/html/semantics/invokers?label=experimental&label=master&aligned>
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/3c383a64-c7d8-4ece-86e1-590fda1e27d9%40app.fastmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/3c383a64-c7d8-4ece-86e1-590fda1e27d9%40app.fastmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/5c2f6547-1d7c-4d79-933f-d3bcb536a697%40mozilla.com.
