W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 08 Nov 2012 09:48:54 -0800
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, public-webapps <public-webapps@w3.org>
Message-id: <22F1E421-1044-45CA-9145-64F993F3790B@apple.com>
To: Dimitri Glazkov <dglazkov@google.com>

On Nov 6, 2012, at 3:29 PM, Dimitri Glazkov <dglazkov@google.com> wrote:

> On Thu, Nov 1, 2012 at 8:39 AM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>>>>>> 6) The "isolated" setting essentially means that there's a new
>>>>>> document and scripting context for this shadow subtree (specifics
>>>>>> TBD). Watch https://www.w3.org/Bugs/Public/show_bug.cgi?id=16509 for progress.
>>>>> That seems like a whole separate feature - perhaps we should figure out "private" vs "public" first. It would be good to know the use cases for this feature over using "private" or something like seamless iframes.
>>>> Yeah, sure.  It's useful to bring up at the same time, though, because
>>>> there are some decent use-cases that sound at first blush like they
>>>> should be "private", but really want even stronger security/isolation
>>>> constraints.
>>>> An existing example, iirc, is the Google +1 button widget.  Every
>>>> single +1 includes an <iframe> so it can do some secure scripting
>>>> without the page being able to reach in and fiddle with things.
>>> What are the advantages to using an isolated component for the +1 button instead if an iframe, or a private component containing an iframe?
>> I'm not 100% sure (Dimitri can answer better), but I think it's
>> because we can do a somewhat more lightweight isolation than what a
>> full iframe provides.
>> IIRC, several of our use-cases *really* want all of the instances of a
>> given component to use the same scripting context, because there's
>> going to be a lot of them, and they all need the same simple data;
>> they'd gain no benefit from being fully separate and paying the cost
>> of a thousand unique scripting contexts.

Is that the semantics "isolated" would have? All instances of the same component are in the same scripting context, but one separate from the page? I assumed that "new
document and scripting context for this shadow subtree" would mean there's a new one per instance, and the document plus the scripting context is most of the cost of an iframe.

> Yup. The typical example that the Google+ people point out to me is
> techcrunch.com. The count of iframes had gotten so high that it
> affected performance to the point where the crunchmasters had to fake
> the buttons (and reveal them on hover, which is tangential to the
> story and may or may not have been the wisest choice).
> With isolated shadow trees, the number of scripting contexts would
> equal then number of button-makers, and offer additional opportunities
> like sharing styles among instances.

OK, it wasn't clear that the separate document and scripting context for isolated components would be per unique component, rather than per-instance. That does seem like a meaningfully different behavior.

>>> One thing that makes me nervous about the"isolated" idea, is thata scripting context is normally bound one-to-one to either a browsing context or a worker; and having multiple scripting contexts per browsing context seems like it could be tricky to implement and may have security risks. But I don't have any more concrete objection at this time.
>> I think that Workers or something very much like them is a productive
>> direction to look in for the isolated components, actually.

Wouldn't that require making the DOM and UI event dispatch threadsafe (which are likely not very practical things to do)?

>>>> Flipping it around, isolation also serves as a great way for the
>>>> *page* to protect itself from the *component*.  There are tons of
>>>> components that have absolutely no need to interact with the outside
>>>> page, so sealing them off loses you nothing and gains you peace of
>>>> mind when worrying about whether you should include some random
>>>> plugins you found on your favorite component library site.
>>> Would the page be able to choose to make a component isolated without the cooperation of the component? Or alternately load components in such a way that only isolated ones would succeed?
>> I think we'd like that, but haven't thought it through very hard yet.
> Isolation as a problem is something that's often considered in design
> discussions (hence it being brought up here), but it's in a distant
> future in relation to actual progress of the spec. If there were
> Shadow DOM L2, that would a nice place to start.

Maybe it should be set aside from this public vs private discussion for now then.

If it may be desirable to force isolated from the outside, then that makes it substantially different from the public vs private distinction, which should be completely under the control of the component. There's not much point to discussing isolated without having a handle on this aspect of its design.

Received on Thursday, 8 November 2012 17:49:32 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:50 UTC