W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 08 Nov 2012 21:26:53 -0800
Message-ID: <509C941D.2020108@mit.edu>
To: Elliott Sprehn <esprehn@gmail.com>
CC: Dimitri Glazkov <dglazkov@chromium.org>, Dominic Cooney <dominicc@chromium.org>, public-webapps <public-webapps@w3.org>
On 11/8/12 9:28 AM, Elliott Sprehn wrote:
> If you're worried about malicious attacks on your widget, shadows being
> private is not enough. You need a whole new scripting context.

Er... yes, you do.  Do widgets not get that?  If not, that's pretty 
broken...

> Google Feedback is an HTML rendering engine written in JS. To render the
> document you need access to every DOM node so you can draw it to a
> canvas.

I see.  It'll still break with things like images and whatnot if you 
want to extract the data from that canvas (in general, modulo CORS etc), 
but yes, I can see how not being able to get inside components is a problem.

I wonder whether making access to the insides of components work based 
on same-origin restrictions + CORS makes sense.

-Boris
Received on Friday, 9 November 2012 05:27:22 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:56 GMT