Script element protection model #507
Comments
|
Aside from the parsing concern I think the current model is simplest, though less memory efficient. |
|
As I noted in the HTML issue there's an observable difference as well. With one of the models if you set it to the same value it will still execute, but with the other it won't. For trusted API callers you could manipulate the contents and then set the trusted bit (possibly after verifying the contents still match the input), maybe? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is to discuss the model for protecting script elements, in the spec we have a mostly finalised idea for protecting them (except during parsing which needs work).
However, it currently relies on us storing a text representation of the children of the script element. If we could instead invalidate a "trusted" boolean when APIs are called this would be better.
For the parsing support there's discussion about modifiying children changed steps to pass through the source of the change, we could use this in general to invalidate the trusted bit (which would start as true).
This might not work as we'd like however as the IDL that should allow you to update would also trigger the children changed steps as if it were an API call?
The text was updated successfully, but these errors were encountered: