Greetings webkit-dev, I'd like to ask about your position on the proposed Sanitizer API <https://github.com/WICG/sanitizer-api/>. The Sanitizer API wants to build an HTML Sanitizer right into the web platform. The goal is to make it easier to build XSS-free web applications.
I've asked about this API before <https://lists.webkit.org/pipermail/webkit-dev/2021-March/031731.html>, when it was still in an early stage. We now have a more rounded feature set, a better specification <https://wicg.github.io/sanitizer-api/>, WPT tests, and two interoperable implementations in Firefox + Chromium, with an intent to harmonize whatever remaining interop issues we may find. There is also an intent to move the spec from WebAppSec into HTML proper, but this has not yet been executed. The feedback we have received from you last time <https://lists.webkit.org/pipermail/webkit-dev/2021-March/031738.html> raises two specific issues, which I'd like to address: - Usefulness for the clipboard: The clipboard sanitizers indeed perform additional style-related steps that the Sanitizer API doesn't. We're interested in addressing this in a future version of the API. I'll note that Firefox has built their Sanitizer API implementation on top of the implementation used for the clipboard, so those two sanitizers can be sufficiently similar and can co-exist rather well. (For Chromium, we've taken a different path and decided to start with a clean slate.) I'll also note that it'd be helpful to document which additional steps and transformations your clipboard sanitizer takes, so that we can take it into account when specifying that functionality. I unfortunately couldn't find documentation on the clipboard sanitizers for any of the well-known browser engines. - Efficiency of element/attribute maps: In early measurements, I've found the time spent in parsing/unparsing the HTML to dominate the execution, and the actual time spent in sanitizing the node tree (and thus in config lookups) to not be a concern. I intend to re-measure this once I can observe real-world usage of the API. Thanks, Daniel
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev