[meta] Sanitizer API: ship and prototype an API for html sanitization behind a pref
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
People
(Reporter: freddy, Assigned: freddy)
References
(Depends on 6 open bugs, )
Details
(Keywords: dev-doc-needed, meta, Whiteboard: [domsecurity-meta])
Spec and explainer at https://github.com/WICG/purification.
We'll experiment and prototype the non-contentious bits behind a pref soon, but the spec is still very young and it will take a couple of iterations
Updated•4 years ago
|
Comment 1•4 years ago
|
||
This sounds like something that should be documented at https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Experimental_features and maybe also exposed to about:preferences#experimental.
Sebastian
Assignee | ||
Updated•4 years ago
|
Comment 2•3 years ago
•
|
||
Hi there, I've invented and implemented the first version of the sanitizer in Gecko. I'd be happy to contribute to the spec as a co-author.
Assignee | ||
Updated•3 years ago
|
Updated•2 years ago
|
Comment 3•2 years ago
•
|
||
Github repo for spec: https://github.com/wicg/sanitizer-api
I've invented and implemented the original version of the sanitizer code in Gecko/Mozilla/Firefox. How can I contribute to the spec? What's the process? PRs? Who decides about them?
FYI, my original motivation for this sanitizer feature in Gecko was a "Sanitized HTML" feature for Thunderbird, so that environments that have very strong security needs (e.g. embassies, dissidents etc.) and cannot affort compromise, even when attacked by state actors, even in the presence of certain critical security holes in the HTML rendering engine (Gecko), can still read HTML email, using a simplified version of the HTML which has everything removed that might have a security hole in Gecko.
Assignee | ||
Comment 4•2 years ago
|
||
The spec is mostly done, we're currently facing mostly interop and editorial changes. Chromium is already shipping in pre-release channels and we aim to follow soon.
Description
•