Intent to Implement and Ship : onsecuritypolicyviolation event handler IDL attribute

124 views
Skip to first unread message

Sonia Singla

unread,
Oct 20, 2021, 11:41:06 AM10/20/21
to blink-dev

Contact emails

ssi...@igalia.com,

fw...@chromium.org

Explainer:

The securitypolicyviolation event is already implemented in all browsers, one can find document on MDN(https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onsecuritypolicyviolation, https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event). The securitypolicyviolation event is dispatched when there is a Content Security Policy violation. Typically, the JS code of the web component will listen to securitypolicyviolation events and react with necessary updates.

One could just use addEventListener, but for convenience and consistency with other events (e.g. slotchange) it makes sense to add a IDL onsecuritypolicyviolation attribute.We recently shipped onslotchange idl attribute as well. See - https://groups.google.com/a/chromium.org/g/blink-dev/c/cagoIboJ6Oo/m/aCjiL_FBAgAJ

Developers are used to use EventTarget.onload = ... and <element onload="..."> , but if this does not work for all events, it will be surprising.

Currently, the way to listen an event is:

target.addEventListener("securitypolicyviolation", mylistener);

After this addition an alternative attribute-based form will be

availlable for the developers

element

<target onsecuritypolicyviolation="myListener()">

Doc Link(s):

- https://html.spec.whatwg.org/#handler-onsecuritypolicyviolation

- https://github.com/whatwg/html/pull/2651

- https://chromium-review.googlesource.com/c/chromium/src/+/3226366

Specification

https://html.spec.whatwg.org

Summary

The securitypolicyviolation event is fired when a Content Security Policy is violated.One can listen to that event via the EventTarget.addEventListener() API. The goal is now to expose the onsecuritypolicyviolation IDL attribute from the GlobalEventHandlers interface, so that one can register a listener by attaching this attribute to target elements.

Blink component

Blink>DOM

Motivation

The securitypolicyviolation event is fired when a Content Security Policy is violated.

One can naturally listen to that event via the

EventTarget.addEventListener() API. However, web developers are also

familiar with the alternative attribute-based form (e.g.

element.addEventListener("securitypolicyviolation

", ...) Vs on <element onsecuritypolicyviolation="...">)

which is sometimes convenient for quick testing. For consistency with

other events, an attribute onsecuritypolicyviolation is thus added.

TAG review

TAG review status

This is  asmall change to an existing spec implemented in browsers and discussed at WHATWG - https://github.com/whatwg/html/pull/2651, https://github.com/w3c/webappsec-csp/issues/184

Risks

Interoperability and Compatibility

Gecko:

Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1727302)

WebKit:

Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=229381)

Web developers:

N/A

Debuggability

No DevTools changes are required, treated like any other event/attribute.

Is this feature fully tested by web-platform-tests?

Yes

Web Platform Tests:
  1. w3c/web-platform-tests/dom/idlharness.window.html 

  2. w3c/web-platform-tests/html/webappapis/scripting/events/event-handler-all-global-events.html

  3. w3c/web-platform-tests/html/webappapis/scripting/events/event-handler-attributes-body-window-expected.txt 

  4. w3c/web-platform-tests/mathml/relations/html5-tree/math-global-event-handlers.tentative.html

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1242893

Patch:

https://chromium-review.googlesource.com/c/chromium/src/+/3226366

Estimated milestones

-

Link to entry on the Chrome Platform Status

https://www.chromestatus.com/features/5639484386312192

ssi...@igalia.com

unread,
Oct 20, 2021, 11:44:16 AM10/20/21
to blin...@chromium.org
Contact emails
ssi...@igalia.com, fw...@chromium.org

Explainer:
The securitypolicyviolation event is already implemented in all
browsers, one can find document on
MDN(https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onsecuritypolicyviolation,
https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event).
The securitypolicyviolation event is dispatched when there is a Content
Security Policy violation. Typically, the JS code of the web component
will listen to securitypolicyviolation events and react with necessary
updates.

One could just use addEventListener, but for convenience and consistency
with other events (e.g. slotchange) it makes sense to add a IDL
onsecuritypolicyviolation attribute which also reflect the attribute on
elements. We recently shipped slotchange idl attriubte as well
(https://groups.google.com/a/chromium.org/g/blink-dev/c/cagoIboJ6Oo/m/yje1mcIUBAAJ)

Developers are habitual to use EventTarget.onload = ... and <element
This is just a small change to an existing spec implemented in browsers
and discussed at WHATWG

TAMURA, Kent

unread,
Oct 20, 2021, 9:52:29 PM10/20/21
to ssi...@igalia.com, blin...@chromium.org
LGTM1.  It's a small straight-forward change.



--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35dc5869ac062cb1fd0e8d9bca3f05e3%40igalia.com.


--
TAMURA Kent
Software Engineer, Google


Yoav Weiss

unread,
Oct 21, 2021, 2:34:57 AM10/21/21
to Sonia Singla, blink-dev
LGTM1 to catch up with other implementations on this.


Agree that a TAG review is not needed in this case.
 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Yoav Weiss

unread,
Oct 21, 2021, 3:09:07 AM10/21/21
to TAMURA, Kent, Sonia Singla, blink-dev
LGTM2 to catch up here

(Apparently we have 2 intent emails for this..)

Daniel Bratell

unread,
Oct 21, 2021, 1:57:57 PM10/21/21
to Yoav Weiss, Sonia Singla, blink-dev

Daniel Bratell

unread,
Oct 21, 2021, 2:14:47 PM10/21/21
to Yoav Weiss, TAMURA, Kent, Sonia Singla, blink-dev

Indeed, so I'm making my LGTM2 on the other thread into an LGTM3 on this thread.

/Daniel

Daniel Bratell

unread,
Oct 21, 2021, 2:15:29 PM10/21/21
to Yoav Weiss, Sonia Singla, blink-dev

This got 3 LGTMs on a different thread.

Joe Medley

unread,
Oct 27, 2021, 1:25:12 PM10/27/21
to Daniel Bratell, Yoav Weiss, TAMURA, Kent, Sonia Singla, blink-dev
Hi,

In which version of Chrome do you hope to ship?
Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.


Manuel Rego Casasnovas

unread,
Oct 28, 2021, 5:53:22 AM10/28/21
to Joe Medley, Daniel Bratell, Yoav Weiss, TAMURA, Kent, Sonia Singla, blink-dev
This will ship in M97.

Cheers,
Rego

On 27/10/2021 19:24, 'Joe Medley' via blink-dev wrote:
> Hi,
>
> In which version of Chrome do you hope to ship?
> Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com
> <mailto:jme...@google.com> | 816-678-7195
> /If an API's not documented it doesn't exist./
>
>
> On Thu, Oct 21, 2021 at 11:14 AM Daniel Bratell <brat...@gmail.com
> <mailto:brat...@gmail.com>> wrote:
>
> Indeed, so I'm making my LGTM2 on the other thread into an LGTM3 on
> this thread.
>
> /Daniel
>
> On 2021-10-21 09:08, Yoav Weiss wrote:
>> LGTM2 to catch up here
>>
>> (Apparently we have 2 intent emails for this..)
>>
>> On Thu, Oct 21, 2021 at 3:50 AM TAMURA, Kent <tk...@chromium.org
>> <mailto:tk...@chromium.org>> wrote:
>>
>> LGTM1.  It's a small straight-forward change.
>>
>>
>>
>> On Thu, Oct 21, 2021 at 12:44 AM <ssi...@igalia.com
>> <mailto:ssi...@igalia.com>> wrote:
>>
>> Contact emails
>> ssi...@igalia.com <mailto:ssi...@igalia.com>,
>> fw...@chromium.org <mailto:fw...@chromium.org>
>>
>> Explainer:
>> The securitypolicyviolation event is already implemented
>> in all
>> browsers, one can find document on
>> MDN(https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onsecuritypolicyviolation
>> <https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onsecuritypolicyviolation>,
>> https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event
>> <https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event>).
>> The securitypolicyviolation event is dispatched when there
>> is a Content
>> Security Policy violation. Typically, the JS code of the
>> web component
>> will listen to securitypolicyviolation events and react
>> with necessary
>> updates.
>>
>> One could just use addEventListener, but for convenience
>> and consistency
>> with other events (e.g. slotchange) it makes sense to add
>> a IDL
>> onsecuritypolicyviolation attribute which also reflect the
>> attribute on
>> elements. We recently shipped slotchange idl attriubte as well
>> (https://groups.google.com/a/chromium.org/g/blink-dev/c/cagoIboJ6Oo/m/yje1mcIUBAAJ
>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/cagoIboJ6Oo/m/yje1mcIUBAAJ>)
>>
>> Developers are habitual to use EventTarget.onload = ...
>> and <element
>> onload="..."> , but if this does not work for all events,
>> it will be
>> surprising.
>>
>> Currently, the way to listen an event is:
>> target.addEventListener("securitypolicyviolation",
>> mylistener);
>>
>> After this addition an alternative attribute-based form
>> will be
>> availlable for the developers
>> element
>> <target onsecuritypolicyviolation="myListener()">
>>
>> Doc Link(s):
>> -
>> https://html.spec.whatwg.org/#handler-onsecuritypolicyviolation
>> <https://html.spec.whatwg.org/#handler-onsecuritypolicyviolation>
>> - https://github.com/whatwg/html/pull/2651
>> <https://github.com/whatwg/html/pull/2651>
>> -
>> https://chromium-review.googlesource.com/c/chromium/src/+/3226366
>> <https://chromium-review.googlesource.com/c/chromium/src/+/3226366>
>>
>> Specification
>> https://html.spec.whatwg.org <https://html.spec.whatwg.org>
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1727302>)
>>
>> WebKit:
>> Shipped/Shipping
>> (https://bugs.webkit.org/show_bug.cgi?id=229381
>> <https://bugs.webkit.org/show_bug.cgi?id=229381>)
>> <mailto:blink-dev%2Bunsu...@chromium.org>.
>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35dc5869ac062cb1fd0e8d9bca3f05e3%40igalia.com>.
>>
>>
>>
>> --
>> TAMURA Kent
>> Software Engineer, Google
>>
>>
>> --
>> You received this message because you are subscribed to the
>> Google Groups "blink-dev" group.
>> To unsubscribe from this group and stop receiving emails from
>> it, send an email to blink-dev+...@chromium.org
>> <mailto:blink-dev+...@chromium.org>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqFNhQ6QYFP9pyYe3Xtx5LHZdty%3DopoMRWSjy%3DOg-exdtQ%40mail.gmail.com
>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGH7WqFNhQ6QYFP9pyYe3Xtx5LHZdty%3DopoMRWSjy%3DOg-exdtQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "blink-dev" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to blink-dev+...@chromium.org
>> <mailto:blink-dev+...@chromium.org>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWfPAMQdB1ncpXmMKcE6CrvpjsjD-fDWooBfYR-_fN1-w%40mail.gmail.com
>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWfPAMQdB1ncpXmMKcE6CrvpjsjD-fDWooBfYR-_fN1-w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2c35eeda-7928-dad1-2384-a8e5b1908e5f%40gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2c35eeda-7928-dad1-2384-a8e5b1908e5f%40gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to blink-dev+...@chromium.org
> <mailto:blink-dev+...@chromium.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJUhtG9Mmn2qi%2BygpEb7iLopbHrrchXX2zs_4qH9sV8Df9uNSw%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJUhtG9Mmn2qi%2BygpEb7iLopbHrrchXX2zs_4qH9sV8Df9uNSw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages