[webkit-dev] Request for Position on Sanitizer API

2022-03-14 Thread Daniel Vogelheim via webkit-dev 
Greetings webkit-dev,

I'd like to ask about your position on the proposed Sanitizer API
. The Sanitizer API wants to build
an HTML Sanitizer right into the web platform. The goal is to make it
easier to build XSS-free web applications.

I've asked about this API before
,
when it was still in an early stage. We now have a more rounded feature
set, a better specification , WPT
tests, and two interoperable implementations in Firefox + Chromium, with an
intent to harmonize whatever remaining interop issues we may find. There is
also an intent to move the spec from WebAppSec into HTML proper, but this
has not yet been executed.


The feedback we have received from you last time
 raises
two specific issues, which I'd like to address:

- Usefulness for the clipboard: The clipboard sanitizers
indeed perform additional style-related steps that the Sanitizer API
doesn't. We're interested in addressing this in a future version of the
API. I'll note that Firefox has built their Sanitizer API implementation on
top of the implementation used for the clipboard, so those two sanitizers
can be sufficiently similar and can co-exist rather well. (For Chromium,
we've taken a different path and decided to start with a clean slate.)
I'll also note that it'd be helpful to document which additional steps and
transformations your clipboard sanitizer takes, so that we can take it into
account when specifying that functionality. I unfortunately couldn't find
documentation on the clipboard sanitizers for any of the well-known browser
engines.

- Efficiency of element/attribute maps: In early measurements, I've found
the time spent in parsing/unparsing the HTML to dominate the execution, and
the actual time spent in sanitizing the node tree (and thus in config
lookups) to not be a concern. I intend to re-measure this once I can
observe real-world usage of the API.

Thanks,
Daniel
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Request for Position: Origin-Agent-Cluster default / deprecating document.domain

2021-12-09 Thread Daniel Vogelheim via webkit-dev 
Hello webkit-dev,

I'd like to get your position on assigning documents to origin-keyed agent
clusters by default. This would effectively deprecate document.domain
setting, and make it available only as an opt-in feature.

Explainer: https://github.com/mikewest/deprecating-document-domain

Details:
We'd like to change the treatment of Origin-Agent-Cluster
 so
that the default - an absent or malformed header - would be treated as
enabling origin-keyed agent clusters. This would turn the
Origin-Agent-Cluster:-header from an opt-in into an opt-out feature. As a
consequence, browsers could origin-isolate more pages.
The developer-visible consequence is that modifying document.domain in
order to relax same-origin restrictions, which is already deprecated
, will
turn into an opt-in feature that must be explicitly requested.


Further info:
TAG discussion on the subject:
https://github.com/w3ctag/design-reviews/issues/564
Explainer: https://github.com/mikewest/deprecating-document-domain
HTML Spec on Origin-Agent-Cluster:
https://html.spec.whatwg.org/multipage/origin.html#origin-isolation
HTML Spec on document.domain:
https://html.spec.whatwg.org/#relaxing-the-same-origin-restriction
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Request for Position on Sanitizer API

2021-03-15 Thread Daniel Vogelheim via webkit-dev 
Hello webkit-dev,

I'd like to request a position statement on the proposed Sanitizer API
.

The Sanitizer API wants to build an HTML Sanitizer right into the web
platform. The goal is to make it easier to build XSS-free web applications.
The intended contributions of the Sanitizer API are: Making a sanitizer
more easily accessible to web developers; be easy to use and safe by
default; and shift part of the maintenance burden to the platform.

Currently available are an explainer
 and
an early spec draft , and early
prototype implementations in Chromium & Firefox
,
behind flags.

Thank you for your consideration!
Daniel
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev