W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Component Model is not an Isolation Model

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 09 Mar 2011 22:41:08 -0500
Message-ID: <4D784854.7050105@mit.edu>
To: Ryosuke Niwa <rniwa@webkit.org>
CC: Dimitri Glazkov <dglazkov@chromium.org>, public-webapps <public-webapps@w3.org>
On 3/9/11 10:29 PM, Ryosuke Niwa wrote:
>     This is sort of a requirement for being able to use components that
>     you don't trust to arbitrarily mess with your DOM though, no?
>
> We already have very complicated security mechanisms for frames, and the
> history of the Web tells us that it's really hard to get them right.
>   Why can't we reuse the same mechanism instead of introducing new one?
>   Isn't it as simple as putting an iframe in your component, no?

You mean putting your component in an iframe, to address the issue I 
brought up above?

I suppose that could be done, but that involves having an iframe for 
things you want to end up using components, which means the markup is 
suddenly polluted with these "componentization" hooks.

I would expect that the actual isolation model UAs _implement_ will use 
the same infrastructure that frames do.  But that doesn't mean we need 
actual frames in the markup.

Also notice that we want a slightly different policy here from frames, 
in that components do need to be able to define some methods on the 
objects they're bound to, right?

-Boris
Received on Thursday, 10 March 2011 03:41:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT