Ready for Trial: Sanitizer API

48 views
Skip to first unread message

Daniel Vogelheim

unread,
Mar 22, 2021, 7:11:01 AMMar 22
to blink-dev

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api

Specification

https://wicg.github.io/sanitizer-api/

API spec

Yes

Summary

The Sanitizer API wants to build an HTML Sanitizer right into the web platform. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform


Blink component

Blink>SecurityFeature


TAG review status

Pending - In preparation. The WICGroup would like to get one important spec item resolved before sending this off to TAG.

Risks


Interoperability and Compatibility

Gecko: In development (https://groups.google.com/g/mozilla.dev.platform/c/C4EHeQlaMbU/m/C8hNg9ehBwAJ)
A position statement has been requested. By my reading, the answer received is skeptical but avoids taking a definite stance one way or another. Please follow the link for details.

Web developers: No signals

Security

The goal of this feature is to make security more accessible. We generally consider this feature low risk, since it's an additive feature that does extend or interact with existing platform security mechanisms. The specification lists several security risks that are being considered during development of the feature: https://wicg.github.io/sanitizer-api/#security-considerations



Goals for experimentation

Mainly, API usability.
There are several open API questions the WICGroup is considering. We hope that a dev trial will give us feedback on whether the API is useful in its current form, and how to proceed with the outstanding questions.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes - Test coverage will be improved as we go along. On the plus side, both TT + Chromium implementations pass the current tests. :)

Tracking bug

https://crbug.com/1101982

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5786893650231296

This intent message was generated by Chrome Platform Status. (Plus edits.)

Thomas Steiner

unread,
Mar 22, 2021, 7:28:38 AMMar 22
to Daniel Vogelheim, blink-dev
On Mon, Mar 22, 2021 at 12:11 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:

Contact emails

voge...@chromium.orgmk...@chromium.orgl...@chromium.org

Explainer

https://github.com/WICG/sanitizer-api

Specification

https://wicg.github.io/sanitizer-api/

API spec

Yes

Summary

The Sanitizer API wants to build an HTML Sanitizer right into the web platform. The goal is to make it easier to build XSS-free web applications. The intended contributions of the Sanitizer API are: Making a sanitizer more easily accessible to web developers; be easy to use and safe by default; and shift part of the maintenance burden to the platform


Blink component

Blink>SecurityFeature


TAG review status

Pending - In preparation. The WICGroup would like to get one important spec item resolved before sending this off to TAG.

Risks


Interoperability and Compatibility

Gecko: In development (https://groups.google.com/g/mozilla.dev.platform/c/C4EHeQlaMbU/m/C8hNg9ehBwAJ)
A position statement has been requested. By my reading, the answer received is skeptical but avoids taking a definite stance one way or another. Please follow the link for details.

Web developers: No signals

I think based on https://goo.gle/developer-signals, it is fair to say Web developers feedback is positive based on the reaction to this tweet: https://twitter.com/tomayac/status/1304384984191569920.
Reply all
Reply to author
Forward
0 new messages