Some additional notes: - This API is tested in the declarative ShadowDOM tests in interop2024, and it is counting against us to not have it enabled by default. - The future sanitization options will be added as an optional second parameter to both methods, so there will not be any compat issues with shipping now.
On Wed, Feb 14, 2024 at 1:11 PM Joey Arhar <jar...@chromium.org> wrote: > Contact emailsjar...@chromium.org > > ExplainerNone > > Specificationhttps://html.spec.whatwg.org/C/#unsafe-html-parsing-methods > https://github.com/whatwg/html/pull/9538 > > Summary > > The setHTMLUnsafe and parseHTMLUnsafe methods allow Declarative ShadowDOM > to be used from javascript. In the future, they may also get new parameters > for sanitization. > > > Blink componentBlink>HTML > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EHTML> > > TAG reviewNone > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > None > > > *Gecko*: No signal (https://bugzilla.mozilla.org/show_bug.cgi?id=1850675) > https://github.com/whatwg/html/pull/9538#issuecomment-1728947778 > > *WebKit*: Positive (https://bugs.webkit.org/show_bug.cgi?id=261143) > > *Web developers*: No signals > > *Other signals*: > > Ergonomics > > This API will likely be used in tandem with Declarative ShadowDOM. The > default usage of this API will not make it hard for chrome to maintain good > performance. > > > Activation > > It will not be challenging for developers to use this feature immediately. > > > Security > > There are no security risks. This API just does declarative ShadowDOM. > There is an "unsafe" in the name because there are future plans to add > sanitization options. https://github.com/WICG/sanitizer-api/issues/185 > https://github.com/whatwg/html/issues/8627 > https://github.com/whatwg/html/issues/8759 > > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > This API does not need any special DevTools features. You can call the > method from the console panel. > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > Flag name on chrome://flagsHTMLUnsafeMethods > > Finch feature nameHTMLUnsafeMethods > > Requires code in //chrome?False > > Estimated milestones > DevTrial on desktop 120 > DevTrial on Android 120 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > None > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6560361081995264 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK6btwJiEbhk_YGbVhuUg0emSJTfT%3D20_1bTDMFJxcH5i9tbMQ%40mail.gmail.com.
