A declarative API to allow the creation of #shadowroot's using only HTML and no Javascript. Sign up for an Origin Trial (M85-M89) here: https://developers.chrome.com/origintrials/#/register_trial/2024368032503037953 Blog post: https://web.dev/declarative-shadow-dom/
The main interoperability risk would be that other browsers fail to implement this API. This feature is quite polyfillable, so it should still be usable while other implementations are being completed.
Much thought has been given to the ergonomics of this API. A more ergonomic alternative, that of a new <shadowroot> element, would create significant web compat problems for browsers that do not yet support the new element. The biggest risk of the current proposal is that it does not *also* solve the declarative adoptedStylesheets problem. That is, to include stylesheets within declarative shadowroots, inline <style> elements must be used. That isn't as large of a penalty as it would seem, but it is a stumbling block. See https://github.com/whatwg/dom/issues/831#issuecomment-585451735, point #3 for more discussion of this issue.
This feature is rather polyfillable - see https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#feature-detection-and-polyfilling. However, any such polyfill would require Javascript to work, and the primary motivation for this feature is no-JS SSR. However, for sites that want to use Web Components and Shadow DOM, it would seem that such a polyfill could be written in a way that does not impact performance for browsers that have implemented this proposal, and does no worse for browsers that have not yet supported this API.
The prior implementation of <template> caused significant parser security issues. While this proposal attempts to re-use as much as possible of the existing <template> implementation, there are a few required changes. It is possible that those changes introduce new security holes. Additionally, the existing implementation of <template> could also still contain undiscovered security problems. There is a specific concern that has been identified for existing (non-upgraded, old) XSS sanitizer libraries. This concern has been mitigated by creating an opt-in mechanism for the fragment parser. There is an extensive discussion of this issue in the explainer (https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#security-and-privacy-considerations) and in the #912 issue thread (https://github.com/whatwg/dom/issues/912).
Since this is a parser-only feature, parsed DOM content will contain only "normal" #shadowroot nodes. Devtools already fully supports Shadow DOM, and all of those existing tools will continue to apply to this new method of declaratively creating Shadow DOM.
https://github.com/whatwg/dom/issues/831#issuecomment-718534647 seems rather negative on a streaming requirement. Is that an issue?
https://github.com/whatwg/dom/issues/831#issuecomment-718534647 seems rather negative on a streaming requirement. Is that an issue?That's a good question. There's been significant discussion about streaming vs. non-streaming declarative Shadow DOM. (The streaming version would parse shadow root contents directly into a newly-created shadow root, as they're parsed. The current proposal/implementation is non-streaming: we parse into an inert DocumentFragment, and then move contents over to the shadow root upon the closing </template> tag.) The comment you reference is the primary reason we've gone with the non-streaming solution: WebKit is quite opposed to such a solution, because of the potential for security issues. Security issues were encountered for years after the implementation of <template>, and there is a desire not to repeat that.
So I actually see the referenced comment as supportive of this aspect of the current proposal.
On Wed, Feb 24, 2021 at 12:40 AM Mason Freed <mason...@chromium.org> wrote:https://github.com/whatwg/dom/issues/831#issuecomment-718534647 seems rather negative on a streaming requirement. Is that an issue?That's a good question. There's been significant discussion about streaming vs. non-streaming declarative Shadow DOM. (The streaming version would parse shadow root contents directly into a newly-created shadow root, as they're parsed. The current proposal/implementation is non-streaming: we parse into an inert DocumentFragment, and then move contents over to the shadow root upon the closing </template> tag.) The comment you reference is the primary reason we've gone with the non-streaming solution: WebKit is quite opposed to such a solution, because of the potential for security issues. Security issues were encountered for years after the implementation of <template>, and there is a desire not to repeat that.That sounds perfectly reasonable.
Having read through the TAG review and streaming discussion, I want to make sure I properly understand: if/when we realize that the performance penalty of not streaming DSD is significant (e.g. for the `<app></app>` case or for large page components), what would be the path to adding such streaming support? Would that just be a spec & implementation change? Would content need to opt-in?
I'm not so familiar with the discussions; could you briefly summarize
what the security issues with streaming are? Thanks!
LGTM1I'm excited about this enabling faster Web Components. I'm less excited about the lack of streaming, but there seems to be clear tension between that and future interoperability. As such, I'll take a future path towards making DSD streaming, in case we'll see the lack of streaming being a bottleneck.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhBXMJi3gjXRCSheXvoXsEvv85h8cV0RusUCe-g8YU7vg%40mail.gmail.com.
LGTM3. I'd like to note that I particularly appreciate the way y'all worked with various security teams' feedback around sanitizers. Thank you.On Friday, February 26, 2021 at 1:24:33 AM UTC+1 Kent Tamura wrote:LGTM2