-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4077: Improved process for handling deprecated HTML features #4077
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # MSC4077: Improved process for handling deprecated HTML features | ||
|
|
||
| The Matrix specification [defines](https://spec.matrix.org/v1.8/client-server-api/#mroommessage-msgtypes) | ||
| a subset of HTML which clients *should* use when rendering messages, limiting the possibility for | ||
| Cross-Site Scripting (XSS) and similar attacks. Clients are always welcome to use a different subset | ||
| in both their send and receive paths, however in practice the recommended set of HTML has become the | ||
| baseline standard for support among Matrix client developers. | ||
|
|
||
| Additionally, to fix issues like [tags being deprecated](https://github.com/matrix-org/matrix-spec/issues/1492), | ||
| the existing spec process would require an entire MSC to add or remove the tag. This has precedent | ||
| through [MSC2422](https://github.com/matrix-org/matrix-spec-proposals/pull/2422) and | ||
| [MSC2184](https://github.com/matrix-org/matrix-spec-proposals/pull/2184), where additional HTML | ||
| features are analyzed from a security perspective. For example, whether XSS attacks are more probable | ||
| or flooding/disruption attempts are made easier. | ||
|
|
||
| This proposal adjusts the MSC process to explicitly allow changes to the supported HTML tags where | ||
| the WHATWG has deprecated a feature in favour of another, enabling more rapid iteration and reducing | ||
| paperwork for everyone involved. | ||
|
|
||
| ## Proposal | ||
|
|
||
| Where the WHATWG has deprecated a feature of the HTML specification, a Matrix spec PR *may* bypass the | ||
| MSC process to use the modern feature instead. In the case of [issue#1492](https://github.com/matrix-org/matrix-spec/issues/1492), | ||
| the spec PR is explicitly able to add the `s` tag and remove the `strike` tag. Note that such changes | ||
| can also bypass the [deprecation policy](https://spec.matrix.org/v1.8/#deprecation-policy) in this way. | ||
|
|
||
| It is left to the discretion of the spec PR reviewer as to whether an MSC is required. In general, an | ||
| MSC should be requested when the replacement HTML feature is not quite the same as the old feature. | ||
| The reviewer *may* also decide whether to keep supporting the old, deprecated, feature for some time. | ||
| For example, replacing `strike` with `s` may mean that both tags are supported for 1-2 Matrix spec | ||
| versions before `strike` can be dropped. | ||
|
|
||
| For clarity, an MSC is always required to add net-new features to the HTML subset, or to remove a | ||
| feature entirely. An example of this is [MSC2398](https://github.com/matrix-org/matrix-spec-proposals/pull/2398). | ||
| These changes are subject to interoperability and security review, and cannot bypass the MSC process. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| The author notes that this MSC might not need to exist under the banner of pragmatism, however for all | ||
| the effort to *not* write an MSC, an MSC has been written for review. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| Critically, without agreement that replacing deprecated HTML features can happen outside the MSC process, | ||
| changes to the HTML subset become slow and burdensome for no apparent gain. | ||
|
|
||
| ## Security considerations | ||
|
|
||
| Special care and attention is expected to be taken by spec PR reviewers to ensure that changes are | ||
| safe and in line with the semantics of this proposal's guidance. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| Not applicable. This is a process MSC. | ||
|
|
||
| ## Dependencies | ||
|
|
||
| None applicable. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this is a process MSC, it may still be worth noting in the spec that tags may be deprecated when the WHATWG deprecates them.