- From: Matthew Ryan <notifications@github.com>
- Date: Fri, 13 May 2016 11:34:36 -0700
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc:
- Message-ID: <w3c/webcomponents/issues/354/219124839@github.com>
How do people feel about explicitly blacklisting **developer induced execution contexts** from accessing `shadowRoot` on closed shadow DOM hosts? (Ie. `shadowRoot` should behave as for open currently, except when it is closed *and* requested from one of these contexts.) By **developer induced execution contexts**, I mean specifically: * when code is executed that was loaded via a `<script>` tag (inlined or via `src`) that was constructed from the page's HTML source. * when code is executed from an event listener attribute (eg. `onclick` attribute). * when code is executed from an `eval` evaluated string in a **developer induced execution context**. * when code is executed that was loaded via a `<script>` tag (inlined or via `src`) that was placed in the DOM from a **developer induced execution context**. By definition, these wouldn't include any user-agent injected code, so any DOM access from * browser extensions/plugins/userscripts * WebDriver implementations/other automation software * accessibility software * bookmarklets * developer tools and their APIs will explicitly be granted `shadowRoot` permissions on closed shadow DOMs by the spec. I feel this would be massively preferable to having to modify the spec for every instance of each of these, especially since we can avoid the proliferation of different APIs for accessing closed shadow DOMs that would result. And I believe it would resolve this issue in its entirety. Would anybody have objections to this being formalised and included in the spec? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/354#issuecomment-219124839
Received on Friday, 13 May 2016 18:35:22 UTC