Sanitizer API incorrectly hidden behind a pref
Categories
(Core :: DOM: Security, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox81 | --- | unaffected |
firefox82 | --- | wontfix |
firefox83 | --- | fixed |
firefox84 | --- | fixed |
People
(Reporter: freddy, Assigned: freddy)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: dev-doc-complete, regression)
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
[Exposed=Window, SecureContext]
interface Sanitizer {
[Pref="dom.security.sanitizer.enabled", Throws]
constructor(optional SanitizerOptions options = {}); // optionality still discussed in spec
...
};```
The `Pref=` should be on the interface in the first line.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 3•4 years ago
|
||
Comment on attachment 9183709 [details]
Bug 1673309 - Sanitizer should be behind a pref
Beta/Release Uplift Approval Request
- User impact if declined: The patch moves an experimental API behind a pref. Not taking this patch could cause a Web Compat issue, mostly for forthcoming releases, when feature testing based on
'Sanitizer' in window
. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce: Automated tests should cover this.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The API ought to be behind a pref, while still under development. Taking the patch makes stuff less risky.
- String changes made/needed: None
Comment 5•4 years ago
|
||
Backed out changeset d431052b6dec (Bug 1673309) for causing mochitest failures in test_interfaces_secureContext.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/d260f821050b6e66da57981bc3e94d4537d6f807
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=319749058&repo=autoland&lineNumber=3144
Assignee | ||
Updated•4 years ago
|
Comment 7•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Comment on attachment 9183709 [details]
Bug 1673309 - Sanitizer should be behind a pref
Approved for 83 beta 5, thanks.
Comment 10•4 years ago
|
||
bugherder uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Comment 11•4 years ago
|
||
Documentation added:
- https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API
- https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Experimental_features#dom
Please let us know if you think this needs anythign else. Thanks!
Comment 12•4 years ago
|
||
Hi - I'm wondering if someone could clarify which version of FF this was available. From the thread here I understand Sanitizer was available in 82/83? But only behind the correct pref in 84?
Thank you!
Assignee | ||
Comment 13•4 years ago
|
||
Firefox 82 exposed the Sanitizer constructor, but the methods hanging off of the constructed object have never been exposed.
Firefox 83 (when in Nightly and Beta) were also affected of this issue, but this has been addressed before Firefox 83 was released.
Assignee | ||
Comment 14•4 years ago
|
||
The experimental (yet to be properly specified API) works as intended when setting the pref dom.security.sanitizer.enabled
in any version after Firefox 82. Given that this is a prototype of an upcoming specification, we do not make any stability or functionality guarantees for it.
Comment 15•4 years ago
|
||
Thank you so much! Appreciated
Description
•