Clarify that <details open> fires the toggle event even if the open attribute is set from the parser

[emilio]

https://html.spec.whatwg.org/#the-details-element says:

Whenever the open attribute is added to or removed from a details element, the user agent must queue a task that runs the following steps, which are known as the details notification task steps, for this details element:
[...]

That doesn't say what happens when the parser sets the attribute, so e.g., you load data:text/html,<details open ontoggle="alert(1)">.

Looks like all implementations are interoperable in this case, but it's not so obvious from the spec text, so should probably be clarified. I can write a test.

[domenic]

Good catch. Can you think of anything clearer than just adding "(including by the parser)" to that sentence? It feels a bit unsatisfying, but I don't have any better ideas.

[emilio]

That sounds ok to me. web-platform-tests/wpt#16244 is the test for this.

[annevk]

It seems bad to me that this would dispatch in an XMLHttpRequest document or a HTML module. That could lead to some very surprising behavior and potentially attacks.

[domenic]

I've posted a PR for this at #4574 to align with all existing browsers. Are implementers interested in all changing? I'm skeptical of the value, but I want to be sensitive to @annevk's concerns, so pinging @cdumez / @rniwa @emilio @tkent-google.

[emilio]

We'd probably need data to prove that people are not relying on that behavior...

It's yet another XSS vector, but not sure if that's enough justification to change it (it's not more of an XSS vector than <img onerror> and such).

[emilio]

Oh re-reading my own comment, I guess <img onerror> doesn't trigger the load if the <img> is not connected, I guess that's what @annevk was arguing?

Is there another precedent for something like this?

[annevk]

There's no precedent, this is pretty bad. Having said that, I cannot get

client = new XMLHttpRequest()
client.open("GET", 'data:text/xml,<html xmlns="http://www.w3.org/1999/xhtml"><details open="" ontoggle="alert(1)"/></html>', false);
client.send();
console.log(client.responseXML);

to run script in browsers, so this will need more tests and more complicated behavior if we wanted to go down this route, right?

[domenic]

Scripting is disabled in XML responseDocs. The event fires, but you have to add the handler from outside. See web-platform-tests/wpt#16244 for an example.

[tkent-google]

I filed crbug.com/960252 for adding a new counter to Chrome.

[tkent-google]

I filed crbug.com/960252 for adding a new counter to Chrome.

Result: less than 0.0004% https://chromestatus.com/metrics/feature/timeline/popularity/2978

I think we can change this behavior.

[annevk]

I'd propose we add "is browsing-context connected" to the conditions for queuing the task to fire the event.

[domenic]

At TPAC 2023 we discussed this and are generally OK with firing events from the parser. I'll work on driving #4574 and web-platform-tests/wpt#16244 to completion.