-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script element mid-parse protection mechanism #525
Comments
cc @mbrodesser-Igalia it would be good if you or someone else from mozilla could provide input on whether Gecko has a similar concept to WebKit and Chromium here. If they do then it makes the case for standardising this, and specifically this protection mechanism better. |
This was referenced Jun 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is here to track the specific spec mechanism for protecting against a script that's edited mid-parse.
To avoid needing to look all over here's a summary. As of #499 all parsed scripts are trusted. The problem with this approach is that a script elements contents can be changed from JS before it finishes parsing. This is case tested by the first subtest of https://wpt.live/trusted-types/HTMLScriptElement-internal-slot.html and https://wpt.live/trusted-types/SVGScriptElement-internal-slot.html.
Chromium and WebKit's approach is to store a boolean flag on the HTML/SVGScriptElement which gets set to true, if the children of the script element are changed by an API. This flag is then checked before setting the script text data.
We cannot spec this directly due to the DOM specs children changed steps not providing the information as to whether something is changed by an API or parser. whatwg/dom#1288 - has been raised to discuss changes to the DOM spec which would be needed for this.
The text was updated successfully, but these errors were encountered: