Request for mechanism to determine if children changed steps are called as a result of script or parser #1288
Labels
addition/proposal
New features or enhancements
needs concrete proposal
Moving the issue forward requires someone to figure out a detailed plan
topic: nodes
Comments
lukewarlow
added
needs implementer interest
annevk
added
topic: nodes
needs concrete proposal
|
cc @otherdaniel as he did the Chromium implementation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What problem are you trying to solve?
In TrustedTypes we have a need to distinguish between a script's children being changed by an API (e.g. script.appendChild) or changed by the parser.
This is specifically needed as we treat all parsed scripts as trusted by default. However, it's possible for a script to be manipulated before it's finished parsing, and in those cases it shouldn't be trusted.
What solutions exist today?
Both Chromium and WebKit implement a childrenChanged function on their ContainerNode type which I believe translates to the children changed steps concept defined in the DOM algorithm. However, unlike the spec Chromium and WebKit both provide an argument to the function with details, such as the type (what changed and how it changed), and importantly the source of the change (parser vs API).
We can (and do) use this to invalidate scripts in the above described situation.
How would you solve it?
It would be good if the DOM spec matched the reality of at least 2 implementations (unsure about Gecko), and provided details about the change, at the very least for this use case the source of the change.
Anything else?
See w3c/trusted-types#499 (comment) for a long discussion that lead to this issue being raised.
I'm open to any alternative spec mechanisms we can use to spec this behaviour, so if there's a way today or a simpler change we can use let me know.
The text was updated successfully, but these errors were encountered: