- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 09 Mar 2011 22:41:08 -0500
- To: Ryosuke Niwa <rniwa@webkit.org>
- CC: Dimitri Glazkov <dglazkov@chromium.org>, public-webapps <public-webapps@w3.org>
On 3/9/11 10:29 PM, Ryosuke Niwa wrote: > This is sort of a requirement for being able to use components that > you don't trust to arbitrarily mess with your DOM though, no? > > We already have very complicated security mechanisms for frames, and the > history of the Web tells us that it's really hard to get them right. > Why can't we reuse the same mechanism instead of introducing new one? > Isn't it as simple as putting an iframe in your component, no? You mean putting your component in an iframe, to address the issue I brought up above? I suppose that could be done, but that involves having an iframe for things you want to end up using components, which means the markup is suddenly polluted with these "componentization" hooks. I would expect that the actual isolation model UAs _implement_ will use the same infrastructure that frames do. But that doesn't mean we need actual frames in the markup. Also notice that we want a slightly different policy here from frames, in that components do need to be able to define some methods on the objects they're bound to, right? -Boris
Received on Thursday, 10 March 2011 03:41:42 UTC