Re: [webcomponents] Consider exposing Shadom DOM and Custom Elements only in secure contexts (#449) from Gilmore Davidson on 2016-03-22 (public-webapps-github@w3.org from March 2016)

From: Gilmore Davidson <notifications@github.com>
Date: Tue, 22 Mar 2016 16:21:10 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/449/200075682@github.com>

I see Service Workers being brought up as justification a few times. The difference here is that the SW spec was HTTPS-only _from the start_.

Service Workers can take full control of a user's browsing experience, it makes sense to restrict that to secure contexts. Geolocation has the potential for privacy violations, it makes sense to restrict that to secure contexts. Custom elements and Shadow DOM are ways to make new encapsulated HTML elements, with no security or privacy concerns that I can see, so why should that be restricted to secure contexts only?

Custom elements and Shadow DOM have been in progress for so long that a lot of library authors have built on top of them. Sure, many of them have been built on top of Polymer, but that was never meant to be the permanent solution. This decision suddenly says to all of them "sorry, your library won't work on plain HTTP pages any more, unless you build on polyfills forever"

As quoted by @andyearnshaw, the original Chromium announcement said:
> “Particularly powerful” would **not** mean things like: new rendering and layout features, CSS selectors, innocuous JavaScript APIs like showModalDialog, or the like. I expect that the majority of new work in HTML5 fits in this category

Can you imagine the outcry if the recent(ish) `<dialog>` HTML5 element was restricted to secure contexts, for no reason other to "encourage" people onto HTTPS? What about `<picture>` that the [RICG](https://responsiveimages.org/) worked so hard to make available everywhere? Should the [CSS Houdini](https://drafts.css-houdini.org/) APIs become HTTPS-only for the same "encouragement" reason? I sure hope not.

I realise that this comment is now long enough to be descending into "rant" territory, but I feel one final point is needed. In a time when [many people](https://twitter.com/search?q=%22web%20components%22%20react&src=typd) are choosing React instead of Web Components, partly due to a perception of WCs never getting finished (I'm not in this camp, BTW, but I talk to many people who are), this decision is only going to convince _more_ people to choose React. On the flip side, do you think React would have been as popular as it is now if Facebook had said it would only work in secure contexts?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/449#issuecomment-200075682

Received on Tuesday, 22 March 2016 23:21:40 UTC