[webkit-dev] Request for Position on Sanitizer API

Daniel Vogelheim vogelheim at chromium.org
Mon Mar 14 09:02:29 PDT 2022 

Greetings webkit-dev,

I'd like to ask about your position on the proposed Sanitizer API
<https://github.com/WICG/sanitizer-api/>. The Sanitizer API wants to build
an HTML Sanitizer right into the web platform. The goal is to make it
easier to build XSS-free web applications.

I've asked about this API before
<https://lists.webkit.org/pipermail/webkit-dev/2021-March/031731.html>,
when it was still in an early stage. We now have a more rounded feature
set, a better specification <https://wicg.github.io/sanitizer-api/>, WPT
tests, and two interoperable implementations in Firefox + Chromium, with an
intent to harmonize whatever remaining interop issues we may find. There is
also an intent to move the spec from WebAppSec into HTML proper, but this
has not yet been executed.


The feedback we have received from you last time
<https://lists.webkit.org/pipermail/webkit-dev/2021-March/031738.html> raises
two specific issues, which I'd like to address:

- Usefulness for the clipboard: The clipboard sanitizers
indeed perform additional style-related steps that the Sanitizer API
doesn't. We're interested in addressing this in a future version of the
API. I'll note that Firefox has built their Sanitizer API implementation on
top of the implementation used for the clipboard, so those two sanitizers
can be sufficiently similar and can co-exist rather well. (For Chromium,
we've taken a different path and decided to start with a clean slate.)
I'll also note that it'd be helpful to document which additional steps and
transformations your clipboard sanitizer takes, so that we can take it into
account when specifying that functionality. I unfortunately couldn't find
documentation on the clipboard sanitizers for any of the well-known browser
engines.

- Efficiency of element/attribute maps: In early measurements, I've found
the time spent in parsing/unparsing the HTML to dominate the execution, and
the actual time spent in sanitizing the node tree (and thus in config
lookups) to not be a concern. I intend to re-measure this once I can
observe real-world usage of the API.

Thanks,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20220314/01c99437/attachment.htm>

More information about the webkit-dev mailing list