Intent to Prototype: Sanitizer API

[Daniel Vogelheim]

Contact emails voge...@chromium.org,mk...@chromium.org,l...@chromium.org Explainer https://github.com/WICG/purification Design docs/spec Specification: https://wicg.github.io/purification/ TAG review None Summary Build an API for a user input sanitizer into the web platform, following the design at: https://github.com/WICG/purification Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.

Is this feature fully tested by web-platform-tests?

We intend to use WPT as the primary test platform for this feature. Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5786893650231296

[Yoav Weiss]

On Fri, Jul 3, 2020 at 1:23 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:

Contact emails voge...@chromium.org,mk...@chromium.org,l...@chromium.org Explainer https://github.com/WICG/purification Design docs/spec Specification: https://wicg.github.io/purification/ TAG review None

Any particular reason?

 

Summary Build an API for a user input sanitizer into the web platform, following the design at: https://github.com/WICG/purification Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes.

Is this feature fully tested by web-platform-tests?

We intend to use WPT as the primary test platform for this feature. Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5786893650231296

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMTzPU7QJoohNQjaGVZXjgmNzTjmBdRuuNNB%2BaamcQb3Q%40mail.gmail.com.

[Daniel Vogelheim]

On Fri, Jul 3, 2020 at 1:35 PM Yoav Weiss <yo...@yoav.ws> wrote:

On Fri, Jul 3, 2020 at 1:23 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:

TAG review None

Any particular reason?

Not really. We're fairly early in the process, and the spec & API shape aren't entirely clear yet. One reason for starting some trial implementation is to figure those things out. I'd have assumed we need more substance for a formal review. That said, I'll be happy to initiate a review if you think the time is right.

[Yoav Weiss]

TAG reviews have a couple of paths nowadays: Early design review vs. specification review. It's possible that it's too early for the former, that's your call.

At the same time, it'd be good to verify we don't file the latter too late, and not give TAG folks enough time to actually look at it. Filing an early design review helps ensure they are familiar with the problem space you're trying to solve, and can provide early guidance. 

[Eli Grey]

I'm confused. How does the "example usage" in the explainer actually justify this API?

Using the Sanitizer API does not affect the security properties of this example code at all:

document.getElementById("...").textContent = sanitizers.html.toString(user_supplied_value);

[Daniel Vogelheim]

You are correct, this was a bad example.

Presently, the purpose of the examples is mostly to demonstrate what the WebIDL fragments mean, and not so much to justify the design. I personally find code examples easier to read than IDL.

[Jun Kokatsu]

+1 on this 😊

Sanitizer API will be useful, especially with Trusted Types. And I hope that this API will have good integration with Trusted Types in a way which will make developer to roll out Trusted Types more easily.

I made some comment to an issue regarding this 😊