[imports]: <link rel=import> shouldn't be active when added by innerHTML (bugzilla: 26898) #193
Comments
|
This is one of the few ways to directly execute script from I agree with @sicking that this won't prevent XSS, but I disagree that it's not meaningful. Anecdotal, Google folks tell me that +@annevk, how would you feel about adding the "already started" bit to a section of https://html.spec.whatwg.org/#parsing-main-inhead:already-started for |
|
I'm pretty sure that imports will go away. Last time the WG met we discussed a concept called "HTML modules" and the couple times before that nobody other than Google was interested in HTML imports. Although it has a specification, it isn't really part of the platform I think. |
|
I agree. I don't really care what happens to the HTML imports in its current form as that's not something we would be interested in implementing. |
|
Any teaser on future HTML modules ? :) |
|
Let me close this issue as we do not spend time on HTML Imports moving forward. |
Title: [imports]: shouldn't be active when added by innerHTML (bugzilla: 26898)
Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c0
Morrita Hajime wrote on 2014-09-24 20:07:27 +0000.
Reported at https://code.google.com/p/chromium/issues/detail?id=416036
As <script>, it should be disabled when injected by innerHTML.
cf. http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0
comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c1
Jonas Sicking wrote on 2014-09-24 20:51:51 +0000.
Why?
The <script> thing was mostly done in order to get compatibility with existing content. Specifically there was a lot of content out there that did things like:
document.getElementById('elem').innerHTML += "hello world";
This code did not expect the script elements to execute again because back in those days dynamically inserted <script> elements almost never executed.
I don't think any of those reasons apply here.
First of all "reimporting" the same URL is a no-op since we de-duplicate imports, right?
Second, there's no existing content that we need to be compatible with since imports are a new feature.
The reason I'd rather not make exceptions for innerHTML is that it creates arbitrary and hard-to-learn inconsistencies. Why innerHTML but not outerHTML or insertAdjecentHTML? What about the jQuery provided $("markup here") and parseHTML?
comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c2
Morrita Hajime wrote on 2014-09-24 22:24:07 +0000.
Good question. Your points are valid.
I heard that the <script> blacklisting is a safeguard for reducing XSS.
Is it misunderstanding the intention of the spec?
comment: 3
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=26898#c3
Jonas Sicking wrote on 2014-09-24 22:35:34 +0000.
The current limitation was mainly added in order to be compatible with the web. It was originally not added for any security reasons.
I don't think that blocking <script> in innerHTML is a meaningful XSS-prevention mechanism. But others might disagree.
The text was updated successfully, but these errors were encountered: