Intent to Ship: Sanitizer API MVP

486 views
Skip to first unread message

Daniel Vogelheim

unread,
Jun 1, 2022, 5:09:43 AMJun 1
to blink-dev

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api
https://web.dev/sanitizer

Specification

https://wicg.github.io/sanitizer-api

Docs

https://web.dev/sanitizer
https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API

Summary

The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform. This is the initial "MVP". This implements the current spec except for two features, the .sanitize and .sanitizeFor methods on the Sanitizer object, in order to leave room for more discussion. Our intent is to add the missing features once the discussion has run its course. In all other aspects, this launch faithfully implements the spec as currently written. We feel the current implementation already adds substantial value to the web platform as-is.



Blink component

Blink>SecurityFeature>SanitizerAPI

TAG review

https://github.com/w3ctag/design-reviews/issues/619

TAG review status

Issues addressed

Risks

Interoperability and Compatibility

This is a new API that does not modify existing behaviour. A comprehensive WPT test suite ensures cross-browser compatibility.


Gecko: In development (https://github.com/mozilla/standards-positions/issues/106
A prototype is In development: https://groups.google.com/g/mozilla.dev.platform/c/C4EHeQlaMbU/m/C8hNg9ehBwAJ

WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-March/031731.html, https://lists.webkit.org/pipermail/webkit-dev/2022-March/032155.html) A position statement has been requested. The answer received to date (2021-03-18) avoids giving a definite answer one way or another. Please follow the links for details.

Web developers: Positive. There have been several articles or blog posts about the Sanitizer API, with a generally positive undertone. Examples: https://portswigger.net/daily-swig/google-mozilla-close-to-finalizing-sanitizer-api-for-chrome-and-firefox-browsers https://blog.bitsrc.io/javascript-sanitizer-api-the-modern-way-to-safe-dom-manipulation-828d5ea7dca6 https://css-tricks.com/html-sanitizer-api/


Security

The goal of this feature is to make security more accessible. We generally consider this feature low risk, since it's an additive feature that does not extend or interact with existing platform security mechanisms. The specification lists several security risks that are being considered during development of the feature: https://wicg.github.io/sanitizer-api/#security-considerations



WebView application risks

n/a



Debuggability

Sanitizer API can be readily debugged with existing DevTools. It does not have hidden state (or other "special" integration) that would warrant customized DevTools support.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Flag name

SanitizerAPIv0

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1101982

Launch bug

https://crbug.com/1306863

Measurement

Several counters for API calls are defined. (E.g. https://source.chromium.org/search?q=MeasureAs%3DSanitizerAPI%20file:%5C.idl$ )

Estimated milestones

105


Anticipated spec changes

The plan of record is to migrate the current WICG spec to HTML proper: * https://github.com/WICG/sanitizer-api/issues/114 

https://github.com/whatwg/html/issues/7197 


Two apparently contentious API choices were removed from this launch, which is what makes this an MVP. By making sure the MVP only contains agreed upon APIs we allow for the future evolution of the API in any direction.

https://github.com/WICG/sanitizer-api/issues/129 

https://github.com/WICG/sanitizer-api/issues/128


The present spec requires a secure context. This might be dropped in a future version.

The present spec does not support namespaced content (like SVG or MathML). This is likely to be added in a future version.

 

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5786893650231296

This intent message was generated by Chrome Platform Status; plus manual editing.

Yoav Weiss

unread,
Jun 1, 2022, 5:48:07 AMJun 1
to Daniel Vogelheim, blink-dev
On Wed, Jun 1, 2022 at 11:09 AM Daniel Vogelheim <voge...@chromium.org> wrote:

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api
https://web.dev/sanitizer

Specification

https://wicg.github.io/sanitizer-api

Docs

https://web.dev/sanitizer
https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API

Summary

The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform. This is the initial "MVP". This implements the current spec except for two features, the .sanitize and .sanitizeFor methods on the Sanitizer object, in order to leave room for more discussion. Our intent is to add the missing features once the discussion has run its course. In all other aspects, this launch faithfully implements the spec as currently written. We feel the current implementation already adds substantial value to the web platform as-is.


So will this only support the `setHTML()` option initially?
 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNZ1TE5wbApR4-scTLjwKT54vzB_FLjnqbLLth%2BJmLpUQ%40mail.gmail.com.

Daniel Vogelheim

unread,
Jun 1, 2022, 6:55:07 AMJun 1
to Yoav Weiss, blink-dev
On Wed, Jun 1, 2022 at 11:47 AM Yoav Weiss <yoav...@chromium.org> wrote:


On Wed, Jun 1, 2022 at 11:09 AM Daniel Vogelheim <voge...@chromium.org> wrote:

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api
https://web.dev/sanitizer

Specification

https://wicg.github.io/sanitizer-api

Docs

https://web.dev/sanitizer
https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API

Summary

The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform. This is the initial "MVP". This implements the current spec except for two features, the .sanitize and .sanitizeFor methods on the Sanitizer object, in order to leave room for more discussion. Our intent is to add the missing features once the discussion has run its course. In all other aspects, this launch faithfully implements the spec as currently written. We feel the current implementation already adds substantial value to the web platform as-is.


So will this only support the `setHTML()` option initially?

Yes, exactly.

Yoav Weiss

unread,
Jun 1, 2022, 8:48:55 AMJun 1
to Daniel Vogelheim, blink-dev
LGTM1 % explainer update

On Wed, Jun 1, 2022 at 12:55 PM Daniel Vogelheim <voge...@google.com> wrote:
On Wed, Jun 1, 2022 at 11:47 AM Yoav Weiss <yoav...@chromium.org> wrote:


On Wed, Jun 1, 2022 at 11:09 AM Daniel Vogelheim <voge...@chromium.org> wrote:

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api
https://web.dev/sanitizer

Specification

https://wicg.github.io/sanitizer-api

Docs

https://web.dev/sanitizer
https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API

Summary

The Sanitizer API offers an easy to use and safe by default HTML Sanitizer API, which developers can use to remove content that may execute script from arbitrary, user-supplied HTML content. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform. This is the initial "MVP". This implements the current spec except for two features, the .sanitize and .sanitizeFor methods on the Sanitizer object, in order to leave room for more discussion. Our intent is to add the missing features once the discussion has run its course. In all other aspects, this launch faithfully implements the spec as currently written. We feel the current implementation already adds substantial value to the web platform as-is.


So will this only support the `setHTML()` option initially?

Yes, exactly.

It'd be good to update the explainer to indicate that more clearly. Right now, `setHTML()` is not well-represented there. We should also make sure that developers don't assume that the existence of a `Sanitizer` object implies the existence of `Saintizer.sanitize` and feature-detect for it.

Daniel Bratell

unread,
Jun 1, 2022, 12:08:15 PMJun 1
to Yoav Weiss, Daniel Vogelheim, blink-dev

Alex Russell

unread,
Jun 1, 2022, 12:14:30 PMJun 1
to blink-dev, Daniel Bratell, blink-dev, Yoav Weiss, Daniel Vogelheim
LGTM3

Excited about this.

On Wednesday, June 1, 2022 at 9:08:15 AM UTC-7 Daniel Bratell wrote:

LGTM2

/Daniel

On 2022-06-01 14:48, Yoav Weiss wrote:
LGTM1 % explainer update

On Wed, Jun 1, 2022 at 12:55 PM Daniel Vogelheim <voge...@google.com> wrote:
On Wed, Jun 1, 2022 at 11:47 AM Yoav Weiss <yoav...@chromium.org> wrote:
On Wed, Jun 1, 2022 at 11:09 AM Daniel Vogelheim <voge...@chromium.org> wrote:

Yes, exactly.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Reply all
Reply to author
Forward
0 new messages