Move the check for HTMLElement and its subclass from customElements.define to construction timing

[rniwa]

Right now, CustomElementsRegistry.define is spec'ed to check whether the interface object inherits from HTMLElement interface or not.

This check is hard to implement in WebKit as is because we don't have a mechanism to check the inheritance hierarchy of interface constructor objects (we can check the inheritance hierarchy of constructed objects via branding).

It's also weird to specifically filter out HTMLElement and their sub-interfaces when we throw the same error for things like Range, Text, and Set.

My preference would be moving this check to the construction time. We can check that new.target is not HTMLElement or one of its subclasses instead.

[rniwa]

@travisleithead @annevk @domenic

[domenic]

Hmm. So let me try to understand your proposed alternate fix. Consider the following:

<!DOCTYPE html>
<bad-1></bad-1> <!-- (1) -->
<script>
  customElements.define("bad-1", HTMLElement);
  document.createElement("bad-1"); // (2)
  new HTMLElement(); // (3)
</script>
<bad-1></bad-1> <!-- (4) -->

So with your proposal of checking new.target, clearly (3) will throw.

The other cases are less clear, but I think they work... at some point they all call Construct(HTMLElement), which throws:

• For (1), that causes the upgrade to fail; the exception will be send to window.onerror
• For (2), that causes createElement to synchronously re-throw the exception
• For (4), that will cause the parser to fail, thus the parser will instead create a HTMLUnknownElement.

So I guess it works.

---

Can you also help me understand why this check would be easier to make at construction time, instead of at definition time? In both cases you need to compare a constructor (either C, or new.target) against the list of all constructors. In neither case can you check a constructed object, since no object has been constructed yet. It seems a bit more costly to do the check on every element creation too... That's part of why I think I came up with the currently-specced approach, of just prohibiting these "bad-1" -> HTMLElement associations from ever getting into the custom element registry in the first place.

[Mr0grog]

Seeing the above example, it also occurs to me that: a) any given custom element is likely to be used more than once on a page and b) its definition will often be loaded asynchronously, so when @domenic's case (1) occurs, it'll probably occur many times.

That is, if an author passes an invalid constructor to customElements.define() and it doesn’t throw until construction time, they might suddenly see 10 or 20 error events on window show up at once. That doesn’t seem so great.

[rniwa]

Can you also help me understand why this check would be easier to make at construction time, instead of at definition time? In both cases you need to compare a constructor (either C, or new.target) against the list of all constructors.

You don't because you can just check that you're constructing yourself during the construction. e.g. let's say you're trying to define a custom element with interface HTMLInputElement. Then in your implementation, either HTMLInputElement has a constructor or it doesn't.

1. HTMLInputElement has a constructor. In this case, you can simply check that new.target isn't HTMLInputElement in the constructor.
2. HTMLInputElement doesn't have a constructor. In this case, the attempt to Construct the element immediately fails.

So in either scenario, one doesn't have to enumerate the list of all builtin HTML*Element constructors.

[rniwa]

Also, I'm not sure how your check works against Proxy objects. What happens if you defined a Proxy to HTMLElement? Proxy could change its behavior anytime it wants so it seems any check we do during the definition time won't be sufficient.

[kojiishi]

+1 to @rniwa, turns out that the current Blink impl skips this check.

[domenic]

You don't because you can just check that you're constructing yourself during the construction.

Ah, great, that makes sense! OK, I can change this then...

Also, I'm not sure how your check works against Proxy objects.

I think the new.target would still be the original constructor (when the proxy delegates construction). So it would still fail. But I guess we don't need to worry about it any more.

+1 to @rniwa, turns out that the current Blink impl skips this check.

I hope someone is writing web platform tests for this!! (And the Proxy case is a good one too.) I thought I even saw some from Firefox land in WPT...

[rniwa]

Also, I'm not sure how your check works against Proxy objects.

I think the new.target would still be the original constructor (when the proxy delegates construction). So it would still fail. But I guess we don't need to worry about it any more.

My point was that this case is hard/impossible to catch at definition time. e.g. constructor = new Proxy(HTMLElement, {}); Then constructor !== HTMLElement yet it would still construct HTMLElement. So the only timing at which we can catch case like this is at construction time when, as you said, new.target would tell us exactly which object we're trying to construct.

[dominiccooney]

I support this proposal, specifically in HTMLConstructor stepts, if new.target === the active function object then throw a TypeError. Given HTMLConstructor step 4.2, which ties together the definition's local name and the active function object's allowable local names, this prevents mayhem like minting elements with unrelated local names or effectively using built-in constructors directly to create elements.