←back to thread

DOMPurify, Security in the DOM, and Why We Really Need Both [pdf]

(www.usenix.org)
72 points _vvhw | 2 comments | 25 Sep 19 08:42 UTC | HN request time: 0.576s | source
1. ShaneCurran ◴[25 Sep 19 10:49 UTC] No.21069450[source]
In modern browsers that support the Shadow DOM[1] standard, this is a somewhat solved problem with one caveat: it wasn't built for this use case.

Architecturally, however, it does the job but the challenge is integration with dated browsers. Polyfills for Shadow DOM inherently break the security features it provides.

Better cross-browser Shadow DOM support would be a step in the right direction to making things like DOMPurify safer, but unfortunately it seems like we're a while away from that according to Can I Use[2].

[1]: https://developer.mozilla.org/en-US/docs/Web/Web_Components/...

[2]: https://caniuse.com/#feat=shadowdomv1

replies(1): >>21071747 #
2. nerdkid93 ◴[25 Sep 19 15:33 UTC] No.21071747[source]
I don't think ShadowDOM can be used for security purposes... https://blog.revillweb.com/open-vs-closed-shadow-dom-9f3d742... makes it seem trivial to access closed shadow roots via side channels like prototype manipulation