Hi Chris, On Mon, Aug 14, 2023 at 5:38 PM Chris Harrelson <[email protected]> wrote:
> I think it's fine to consider removing the current API given usage is > extremely low, and if there is a more plausible path to interoperability > via a new version. > > Is there consensus on a new API shape yet, or is that an open discussion? > It's in active discussion. The new design is being circulated to a wider audience, including the HTML WG (1 <https://github.com/whatwg/html/issues/8942#issuecomment-1462965265>), where this is meant to land eventually. Every PR that defines the new API shape (1 <https://github.com/WICG/sanitizer-api/pull/193>, 2 <https://github.com/WICG/sanitizer-api/pull/194>) has been reviewed by engineers from other browser engines. We are certainly trying to get consensus here. That said, I can't speak for other people or projects. Daniel > > On Fri, Aug 11, 2023 at 7:45 AM 'Daniel Vogelheim' via blink-dev < > [email protected]> wrote: > >> Hi Alex, >> >> On Mon, Aug 7, 2023 at 8:13 PM Alex Russell <[email protected]> >> wrote: >> >>> Hey Daniel, >>> >>> Hrm, this isn't how things are supposed to work. >>> >>> The API OWNERS set a high bar to ship exactly to prevent this sort of >>> bikeshedding after shipping. Is it possible to make compatible additions >>> instead? >>> >> >> I agree that this isn't how things are supposed to work, and I certainly >> didn't plan it this way. The Sanitizer launch in 105 was based on the >> then-current spec. The feedback we have gotten since is that there are >> blocking concerns with that API. We worked through them and landed on a >> different API shape, which other engines now seem committed to. They're >> unwilling to support the old API. >> >> It would be possible for Blink to add the new APIs in addition to the >> old, and to retain backwards compatibility. However, given that no other >> engine is likely to support the old APIs as well, it was recommended to me >> to not do that. The main argument is the impact on the developer community: >> Are we helping developers by supporting an API shape that has little >> current usage and is highly unlikely to see a second implementation? >> >> I'm happy to follow whatever API Owners recommend: What I'm asking for >> here is to retire the current API before adding the new one. The >> alternative would be to retain the existing API and implement the new one >> on top of it. Either way can work. >> >> >>> Best, >>> >>> Alex >>> >>> On Monday, August 7, 2023 at 6:35:16 AM UTC-7 Daniel Vogelheim wrote: >>> >>>> Contact [email protected] >>>> >>>> Explainer >>>> >>>> - Old explainer, API as implemented in "MVP" since M105: >>>> >>>> https://github.com/WICG/sanitizer-api/blob/e72b56b361a31b722b4e14491a83e2d25943ba58/explainer.md >>>> - New explainer, still in progress, API that we expect to implement >>>> eventually: >>>> https://github.com/WICG/sanitizer-api/blob/main/explainer.md >>>> >>>> >>>> Specificationhttps://github.com/WICG/sanitizer-api >>>> >>>> Summary >>>> >>>> The Sanitizer API (https://chromestatus.com/feature/5786893650231296) >>>> aims to build an easy-to-use, always secure, browser-maintained HTML >>>> sanitizer into the platform. It is a cross-browser standardization effort >>>> starting in Q2/2020. We shipped an initial version of the Sanitizer API in >>>> M105, based on the then-current specification draft. However, the >>>> discussion has meanwhile moved on and the proposed API shape has changed >>>> substantially. In order to prevent the current API from becoming entrenched >>>> we would like to remove the current implementation. We expect to >>>> re-implement the Sanitizer API when the proposed specification stabilizes >>>> again. >>>> >>>> >>>> Blink componentBlink>SecurityFeature>SanitizerAPI >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ESanitizerAPI> >>>> >>>> Motivation >>>> >>>> Since the final version of the standard will look different from our >>>> initial implementation, the goal is to prevent an API from becoming >>>> entrenched. According to use counters, the Sanitizer API is currently used >>>> on 0.000000492 % of page visits. >>>> >>>> Initial public proposalNone >>>> >>>> TAG reviewNone >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> Sanitizer API is currently used on 0.000000492% of page visits. Since >>>> presently no other browser supports this API (in any release version) we >>>> expect the compatibility impact to be negligible. >>>> >>>> >>>> *Gecko*: Positive ( >>>> https://mozilla.github.io/standards-positions/#sanitizer-api) (Note >>>> that the Firefox position presumably applies to the eventual result of the >>>> standards effort, not to our current implementation.) >>>> >>>> *WebKit*: No signal ( >>>> https://github.com/WebKit/standards-positions/issues/86) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> >>>> Debuggability >>>> >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> >>>> Flag name on chrome://flagsCurrently none. Would be happy to >>>> re-implement the chrome://flags flag if it helps. >>>> >>>> Finch feature nameSanitizerAPI >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bughttps://crbug.com/1428276 >>>> >>>> Estimated milestones >>>> Shipping on desktop 118 >>>> Shipping on Android 118 >>>> Shipping on WebView 118 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5115076981293056 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPN-OU7ZxZ-Zu2D0Ni3RDwpDSGmvZyaUt-JQxkUAsO1hTA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPN-OU7ZxZ-Zu2D0Ni3RDwpDSGmvZyaUt-JQxkUAsO1hTA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNKPMw3oRecOd%3Dgt6E9p%3DkUGUq_q9vURmt0c5sBzBp18g%40mail.gmail.com.
