investigate Unsafe HTML parsing methods

links

• https://bugzilla.mozilla.org/show_bug.cgi?id=1887817
• https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#unsafe-html-parsing-methods

So FF128+ has opened this up, so put on your evil hats, people

// FF52-122: TypeError: Document.parseHTMLUnsafe is not a function
// FF123-27: [Exception... "Unexpected error"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" ...
// 128: 1887817
try {
	Document.parseHTMLUnsafe('<p></p>')
} catch(e) {}

for example Document.parseHTMLUnsafe('').lastModified does not leak timezone

Is there anything here that concerns us? cc @tjr @pierov

added All Platforms Fingerprinting Needs Information FF128-esr labels

Document.parseHTMLUnsafe(html) ... The document's URL will be about:blank

@tjr This still inherits the principal based on the original doc (URL in the urlbar), right?

the original doc (URL in the urlbar), right?

Not necessarily the "URL in the urlbar" (e.g. in IFrames), but "the principal of the global of the invoking script".

Is there an ELI5 for this method? The spec page is not very illuminating

I couldn't find an MDN page for it yet - it's too new or something

Is there an ELI5 for this method? The spec page is not very illuminating

Original Explainer - not sure it's tailored for a 5yo though

In doubt, you may ask Freddie Braun, the mozillian mastermind behind this.

Ok that explains things for me, thanks @ma1 o/

/cc @ma1

added Task label

added 14.0 stable label

removed Needs Information label

added Next label

removed 14.0 stable label

added 14.0 stable label

marked this issue as related to #42751 (closed)

mentioned in issue #42751 (closed)

assigned to @ma1

made the issue visible to everyone

Nothing to be concerned with here.

closed