- From: Dylan Barrell <notifications@github.com>
- Date: Thu, 03 Dec 2015 07:15:07 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Message-ID: <w3c/webcomponents/issues/100/161671195@github.com>
@tjconcept I have personally also been affected by those iframe bugs and issues but I think the right place to fix those is in the HTML spec for iframes. iframes don't always provide this opacity. They only provide it when the document domains for the iframe the the parent are different. When they are the same, the parent document can look inside and modify the content of the iframe. The reason for the opacity has nothing to do with encapsulation and everything to do with security. Specifically, if cross domain iframes allowed access, it could allow a malicious web site to steal users data by pretending to be another site. In order to implement this fully, the canvas element also has to prevent iframes from being painted onto a canvas. If you think about it that way, then using iframes for their encapsulation properties is the same as using same domain iframes, which does not provide the opacity. The open Shadow DOM provides the same protection. It is precisely this analysis which leads me to conclude that the closed Shadow DOM is not satisfying any publicly stated and agreed-upon need. It should therefore immediately be dropped from the spec. On the axe-core implementation, it uses window.postMessage for communication which is not available in the same manner for Shadow DOM. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/100#issuecomment-161671195
Received on Thursday, 3 December 2015 15:15:37 UTC