Bug 262892

Summary: Implement a more robust guarantee that toggling “details” open-ness can’t lead to arbitrary execution of JavaScript (no events dispatched)
Product: WebKit Reporter: sideshowbarker <mike>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description sideshowbarker 2023-10-09 08:35:16 PDT 
https://github.com/WebKit/WebKit/pull/18281 includes adding a mechanism for causing mutation events not to fire, as required by the HTML standard at https://html.spec.whatwg.org/multipage/dom.html#concept-document-fire-mutation-events-flag and https://html.spec.whatwg.org/multipage/interactive-elements.html#ensure-details-exclusivity-by-closing-other-elements-if-needed — but see https://github.com/WebKit/WebKit/pull/18281#discussion_r1349255737

> This seems fragile to me. Are we guaranteed that mutation events are the only way toggleOpen can lead to arbitrary execution of JavaScript? Because if anything runs and then in turn does other DOM modification, it will run with mutation events disabled. Calling setShouldFireMutationEvents(false) alone seems like a not entirely robust guarantee that no events of any kind will be dispatched. I’m sure that’s true right now, but I can so easily imagine us making a mistake later as we evolve the implementation.
Comment 1 Radar WebKit Bug Importer 2023-10-16 08:36:15 PDT 
<rdar://problem/117019331>