W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

From: Elliott Sprehn <esprehn@gmail.com>
Date: Thu, 8 Nov 2012 09:28:22 -0800
Message-ID: <CAPJYB1i0_=85nnQGSr6TovLCG_6Cc6qOh3UMYRER_4ZPH1Zdhw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Dimitri Glazkov <dglazkov@chromium.org>, Dominic Cooney <dominicc@chromium.org>, public-webapps <public-webapps@w3.org>
On Thu, Nov 8, 2012 at 8:13 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/8/12 1:45 AM, Elliott Sprehn wrote:
>> That means that I
>> doubt you'll get widgets being broken as Boris suggests because people
>> aren't going to accidentally modify the inside of your widget.
> The problems start when people _maliciously_ modify the inside of your
> widget.  Again, with XBL you don't get to accidentally modify the insides
> of anonymous content (shadow) trees.  But there were all sorts of attack
> scenarious where people could modify them at all.

If you're worried about malicious attacks on your widget, shadows being
private is not enough. You need a whole new scripting context. I can
override all the String and Array methods, DOM prototype methods,
document.createElement, document.implementation methods, MutationObserver
etc. or even the ShadowRoot constructor with the current API and still
likely capture the inside of your component. This is JavaScript after all.

You're much better off using a public shadow and then putting your whole
widget in a cross domain iframe to get a new scripting context instead of
depending on the false security of a private shadow.

>  I'd also hate to prevent future innovation like Google Feedback which
>> has turned out to be a critical component for Google product success.
> I would like to understand more here.  How does preventing touching the
> shadow tree by default prevent something like Google Feedback?

Google Feedback is an HTML rendering engine written in JS. To render the
document you need access to every DOM node so you can draw it to a canvas.
In the world of web components much, or often all, of your web application
ends up inside of a component. We can imagine Gmail is something like:


Google Feedback would be unnable to access the private shadow tree where
the actual content of the page is so your screenshot would be blank.

Today Google Feedback "just works" on most pages on the web and can be
activated through a bookmarklet on any website, even ones that Google does
not control. In the future this wouldn't be possible if shadows were
private by default and authors didn't consider all future library and
widget integrations.

For more information about Google Feedback see my recent architecture

Another example is Readability:

Once the articles on news websites are actually just <x-news-article
articleId="{bindingForArticleId}"></x-news-article> and load from the model
into their shadow they become hidden from bookmarklets that wish to
traverse down into them making future innovations like Readbility difficult
without super hacks.

- E
Received on Thursday, 8 November 2012 17:29:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:50 UTC