Intent to Deprecate and Remove: Stop evaluating scripts moved between Documents during fetching
Hiroshige Hayashizaki
Primary eng (and PM) emails
Summary
Do not evaluate classic scripts, if <script> elements are moved between Documents during fetching.
Script elements can be still moved between Documents, but they won't be executed.
The current HTML spec (https://html.spec.whatwg.org) executes such scripts, but spec discussion is ongoing to stop executing such scripts:
https://github.com/whatwg/html/issues/2469
https://github.com/whatwg/html/pull/2673
https://github.com/web-platform-tests/wpt/pull/5911
Such scripts are already prevented from being evaluated on Firefox (all scripts) and Chromium (module scripts only).
This intent is to align the behavior of classic scripts on Chromium with Firefox.
Motivation
This is to prevent possible security bugs, because there have been several bad XSS-related bugs in Chromium due to the code path for executing <script> elements moved between Documents.
This will also simplify the spec and implementation of the current and future web platform features.
Interoperability and Compatibility Risk
Firefox: Already stops executing scripts moved between Documents.
Safari: No signal
See https://github.com/web-platform-tests/wpt/pull/5911#issuecomment-301188437 for a summary of current behaviors.
Alternative implementation suggestion for web developers
Instead of moving <script>s between documents, recreate them in the appropriate document. This will ensure they are fetched and evaluated in the expected context, i.e. that of the new document.
To re-create scripts, usual DOM APIs can be used, e.g.
const script = otherDocument.createElement('script');
script.textContent = originalScript.textContent;
otherDocument.body.append(script);
Usage information from UseCounter
Affects about <0.001% of page loads:
https://www.chromestatus.com/metrics/feature/timeline/popularity/2528
Entry on the feature dashboard
https://www.chromestatus.com/feature/6025903192670208
Requesting approval to remove too?
Yes (M-79).
Yoav Weiss
Primary eng (and PM) emails
Summary
Do not evaluate classic scripts, if <script> elements are moved between Documents during fetching.
Script elements can be still moved between Documents, but they won't be executed.
The current HTML spec (https://html.spec.whatwg.org) executes such scripts, but spec discussion is ongoing to stop executing such scripts:
https://github.com/whatwg/html/issues/2469
Such scripts are already prevented from being evaluated on Firefox (all scripts) and Chromium (module scripts only).
This intent is to align the behavior of classic scripts on Chromium with Firefox.
Motivation
This is to prevent possible security bugs, because there have been several bad XSS-related bugs in Chromium due to the code path for executing <script> elements moved between Documents.
This will also simplify the spec and implementation of the current and future web platform features.
Interoperability and Compatibility Risk
Firefox: Already stops executing scripts moved between Documents.
Safari: No signal
See https://github.com/web-platform-tests/wpt/pull/5911#issuecomment-301188437 for a summary of current behaviors.
Alternative implementation suggestion for web developers
Instead of moving <script>s between documents, recreate them in the appropriate document. This will ensure they are fetched and evaluated in the expected context, i.e. that of the new document.
To re-create scripts, usual DOM APIs can be used, e.g.
const script = otherDocument.createElement('script');
script.textContent = originalScript.textContent;
otherDocument.body.append(script);
Usage information from UseCounter
Affects about <0.001% of page loads:
https://www.chromestatus.com/metrics/feature/timeline/popularity/2528
Entry on the feature dashboard
https://www.chromestatus.com/feature/6025903192670208
Requesting approval to remove too?
Yes (M-79).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOaYce72peyEH9xbKBTN7DUyi-ftb25uig-_w9BrmjVmi4A4VQ%40mail.gmail.com.
Domenic Denicola
We were waiting on the use counter data to see if Chrome (i.e. a second implementer) was interested. At this point we can merge the PR, although it will need to be rebased since it has been a while.
Also, I am going on vacation starting soon, so it may not land for two weeks for incidental reasons.
Yoav Weiss
Alex Russell
TAMURA, Kent
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/87a2419b-d8cf-4361-a80d-bfe639c08bce%40chromium.org.
Software Engineer, Google
Yoav Weiss
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqHfxg16evPws37-SPw2f_JkEJ2W0QuS76QvF2ha_vVpiA%40mail.gmail.com.