Security/Reviews/Firefox6/ReviewNotes/HTML5Dataset

HTML 5 Dataset Attribute 2011.06.28

• Implement HTML5 dataset attribute bug 560112
• Spec: http://www.whatwg.org/specs/web-apps/current-work/multipage/elements.html#dom-dataset
• Extended Information
  • "Assertion failure: JSID_IS_STRING(id)" with dataset[0] bug 658746 (Contains tests of error cases).

Introduce Feature

• a way to access HTML elements on forms
• short cut for get/set on an attribute

Example:

<element id="elem" data-big-fish="tuna">
k = document.getElementById("elem")
k.dataset.bigFish;
k.dataset.bigFish = 'goldfish';
<element id="elem" data-big-fish="goldfish">
nsDOMStringMap::AttrToDataProp
nsDOMStringMap::DataPropToAttr

• Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
  • proper way to embed data into html and easy JS interface to get at it.
• What solutions/approaches were considered other than the proposed solution?
• Why was this solution chosen?
• this is a subset of the HTML5 spec
• Any security threats already considered in the design and why?

Threat Brainstorming

• Uppercasing / lowercasing of high-expansion-factor characters such as ß --> SS or U+023A
  • Per spec, case convsersion is only done for a-z <--> A-Z
  • and attributes with A-Z are ignored
• Low-level string manipulation: nsDOMStringMap::DataPropToAttr and nsDOMStringMap::AttrToDataProp
  • "const PRUnichar* next = cur + 1;", "next < end" scares me a little (integer overflow)
• Why is the member variable a raw pointer? (nsIDOMDOMStringMap* mDataset; // [Weak])
• Conflicts between "data-" attributes and special property names: __proto__, etc
  • Should be the same as setProperty?

Conclusions / Action Items

• [dchan] Implementation review
• [wchen] additional tests for __proto__ as property name for dataset object.
  • e.g. data-__proto__ -> dataset.__proto__ ? Would that shadow the prototype, or be hidden by it?