-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script element protection model #507
Comments
Aside from the parsing concern I think the current model is simplest, though less memory efficient. |
As I noted in the HTML issue there's an observable difference as well. With one of the models if you set it to the same value it will still execute, but with the other it won't. For trusted API callers you could manipulate the contents and then set the trusted bit (possibly after verifying the contents still match the input), maybe? |
This issue is to discuss the model for protecting script elements, in the spec we have a mostly finalised idea for protecting them (except during parsing which needs work).
However, it currently relies on us storing a text representation of the children of the script element. If we could instead invalidate a "trusted" boolean when APIs are called this would be better.
For the parsing support there's discussion about modifiying children changed steps to pass through the source of the change, we could use this in general to invalidate the trusted bit (which would start as true).
This might not work as we'd like however as the IDL that should allow you to update would also trigger the children changed steps as if it were an API call?
The text was updated successfully, but these errors were encountered: