[webkit-dev] Request for Position on Sanitizer API

2022-03-14 Thread Daniel Vogelheim via webkit-dev 
Greetings webkit-dev,

I'd like to ask about your position on the proposed Sanitizer API
. The Sanitizer API wants to build
an HTML Sanitizer right into the web platform. The goal is to make it
easier to build XSS-free web applications.

I've asked about this API before
,
when it was still in an early stage. We now have a more rounded feature
set, a better specification , WPT
tests, and two interoperable implementations in Firefox + Chromium, with an
intent to harmonize whatever remaining interop issues we may find. There is
also an intent to move the spec from WebAppSec into HTML proper, but this
has not yet been executed.


The feedback we have received from you last time
 raises
two specific issues, which I'd like to address:

- Usefulness for the clipboard: The clipboard sanitizers
indeed perform additional style-related steps that the Sanitizer API
doesn't. We're interested in addressing this in a future version of the
API. I'll note that Firefox has built their Sanitizer API implementation on
top of the implementation used for the clipboard, so those two sanitizers
can be sufficiently similar and can co-exist rather well. (For Chromium,
we've taken a different path and decided to start with a clean slate.)
I'll also note that it'd be helpful to document which additional steps and
transformations your clipboard sanitizer takes, so that we can take it into
account when specifying that functionality. I unfortunately couldn't find
documentation on the clipboard sanitizers for any of the well-known browser
engines.

- Efficiency of element/attribute maps: In early measurements, I've found
the time spent in parsing/unparsing the HTML to dominate the execution, and
the actual time spent in sanitizing the node tree (and thus in config
lookups) to not be a concern. I intend to re-measure this once I can
observe real-world usage of the API.

Thanks,
Daniel
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Request for Position on Sanitizer API

2021-03-15 Thread Ryosuke Niwa via webkit-dev 
On Mon, Mar 15, 2021 at 7:32 AM Daniel Vogelheim via webkit-dev
 wrote:
>
> I'd like to request a position statement on the proposed Sanitizer API.
>
> The Sanitizer API wants to build an HTML Sanitizer right into the web 
> platform. The goal is to make it easier to build XSS-free web applications. 
> The intended contributions of the Sanitizer API are: Making a sanitizer more 
> easily accessible to web developers; be easy to use and safe by default; and 
> shift part of the maintenance burden to the platform.
>
> Currently available are an explainer and an early spec draft, and early 
> prototype implementations in Chromium & Firefox, behind flags.

I'm gathering more feedback internally at Apple but here's immediate
feedback I can give you: even if this was an useful API for web
developers, we won't use it to sanitize the content from / to the
system pasteboard (a.k.a clipboard on Windows) since we rely on style
& rendering information and apply various transformations such as
inlining all the style rules for that purpose. Secondly, we probably
won't reuse this code for sanitizing contents inside our engine since
using hash maps of element names and attribute names per element to
allow or block markup would be simply too inefficient. Reusing
concepts defined in this specification as a mechanism involved by
other specifications seems okay provided we agree that this API / spec
is an overall good idea based on more broader discussion.

- R. Niwa
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Request for Position on Sanitizer API

2021-03-15 Thread Daniel Vogelheim via webkit-dev 
Hello webkit-dev,

I'd like to request a position statement on the proposed Sanitizer API
.

The Sanitizer API wants to build an HTML Sanitizer right into the web
platform. The goal is to make it easier to build XSS-free web applications.
The intended contributions of the Sanitizer API are: Making a sanitizer
more easily accessible to web developers; be easy to use and safe by
default; and shift part of the maintenance burden to the platform.

Currently available are an explainer
 and
an early spec draft , and early
prototype implementations in Chromium & Firefox
,
behind flags.

Thank you for your consideration!
Daniel
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev