- From: Thomas Jensen <notifications@github.com>
- Date: Thu, 03 Dec 2015 09:46:46 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
Received on Thursday, 3 December 2015 17:47:41 UTC
By "encapsulated" I really meant "secure". > iframes don't always provide this opacity. They only provide it when the document domains for the iframe the the parent are different. When they are the same, the parent document can look inside and modify the content of the iframe. Yes, but Shadow DOM is more powerfull in that the developer can now choose open/closed according to needs (security) and not have to bother with all the issues arising from an iframe. I see it this way: "open" is the standard, but when you need integrity (security) you go with closed. And the nice thing is that this does not bring a whole new category of issues (as replacing your DOM nodes with an iframe would). > On the axe-core implementation, it uses window.postMessage for communication which is not available in the same manner for Shadow DOM. If the developer chose "closed" mode, then of course you won't be able to inject scripts - and you shouldn't, as that is basically the same as different-origin iframes. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/100#issuecomment-161728638
Received on Thursday, 3 December 2015 17:47:41 UTC